[net-dns-users] NSEC::covered() ?

Wessels, Duane dwessels at verisign.com
Fri Apr 13 19:24:06 UTC 2018


I think I could be very happy if NSEC was modeled after what currently exists for NSEC3. It gets me 80-90% of what I want at this time.


If you want to make improvements, then I could envision four boolean methods that say whether or not an NSEC(3) proves the various cases that need to be proved.  For example:

   nsec_proves_nxdomain ($nsec, $name)

   nsec_proves_nodata ($nsec, $name, $type)

   nsec_proves_nxdomain_wildcard ($nsec, $name)

   nsec_proves_nxdomain_nodata ($nsec, $name, $type)

The caller would iterate through the available NSEC RRs until finding one that return true, and the caller would be responsible for validating the signatures.


DW


> On Apr 13, 2018, at 10:41 AM, Dick Franks <rwfranks at acm.org> wrote:
> 
> 
> On 12 April 2018 at 16:36, Wessels, Duane <dwessels at verisign.com> wrote:
> I see NSEC3 as a covered() method, but nothing similar for plain old NSEC.  Are there any helper functions available to assist with this, i.e. name canonicalization and comparison?
> 
> Before we add yet more stuff, a few questions need answers:
> 
> 1) Is the current NSEC3 model the right shape to support your use case?
> 
> 2) What improvements, if any, need to be made to the NSEC3 model?
> 
> 3) Would NSEC replacement, following a similar design pattern, meet your requirement?
> 
> 4) If not, why not?
> 
> 
> 
> _____________________________________________
> net-dns-users mailing list
> net-dns-users at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users
> 
> _______________________________________________
> net-dns-users mailing list
> net-dns-users at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users




More information about the net-dns-users mailing list