[net-dns-users] NSEC::covered() ?
Wessels, Duane
dwessels at verisign.com
Fri Apr 13 19:24:06 UTC 2018
I think I could be very happy if NSEC was modeled after what currently exists for NSEC3. It gets me 80-90% of what I want at this time.
If you want to make improvements, then I could envision four boolean methods that say whether or not an NSEC(3) proves the various cases that need to be proved. For example:
nsec_proves_nxdomain ($nsec, $name)
nsec_proves_nodata ($nsec, $name, $type)
nsec_proves_nxdomain_wildcard ($nsec, $name)
nsec_proves_nxdomain_nodata ($nsec, $name, $type)
The caller would iterate through the available NSEC RRs until finding one that return true, and the caller would be responsible for validating the signatures.
DW
> On Apr 13, 2018, at 10:41 AM, Dick Franks <rwfranks at acm.org> wrote:
>
>
> On 12 April 2018 at 16:36, Wessels, Duane <dwessels at verisign.com> wrote:
> I see NSEC3 as a covered() method, but nothing similar for plain old NSEC. Are there any helper functions available to assist with this, i.e. name canonicalization and comparison?
>
> Before we add yet more stuff, a few questions need answers:
>
> 1) Is the current NSEC3 model the right shape to support your use case?
>
> 2) What improvements, if any, need to be made to the NSEC3 model?
>
> 3) Would NSEC replacement, following a similar design pattern, meet your requirement?
>
> 4) If not, why not?
>
>
>
> _____________________________________________
> net-dns-users mailing list
> net-dns-users at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users
>
> _______________________________________________
> net-dns-users mailing list
> net-dns-users at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users
More information about the net-dns-users
mailing list