| rfc9824v3.txt | rfc9824.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) S. Huque | Internet Engineering Task Force (IETF) S. Huque | |||
| Request for Comments: 9824 Salesforce | Request for Comments: 9824 Salesforce | |||
| Updates: 4034, 4035 C. Elmerot | Updates: 4034, 4035 C. Elmerot | |||
| Category: Standards Track Cloudflare | Category: Standards Track Cloudflare | |||
| ISSN: 2070-1721 O. Gudmundsson | ISSN: 2070-1721 O. Gudmundsson | |||
| Retired/Unaffiliated | ||||
| August 2025 | August 2025 | |||
| Compact Denial of Existence in DNSSEC | Compact Denial of Existence in DNSSEC | |||
| Abstract | Abstract | |||
| This document describes a technique to generate a signed DNS response | This document describes a technique to generate a signed DNS response | |||
| on demand for a nonexistent name by claiming that the name exists but | on demand for a nonexistent name by claiming that the name exists but | |||
| doesn't have any data for the queried record type. Such responses | doesn't have any data for the queried record type. Such responses | |||
| require only one minimally covering NSEC or NSEC3 record, allow | require only one minimally covering NSEC or NSEC3 record, allow | |||
| skipping to change at line 145 ¶ | skipping to change at line 144 ¶ | |||
| type bitmap because Empty Non-Terminal (ENT) names (which positively | type bitmap because Empty Non-Terminal (ENT) names (which positively | |||
| exist) also have no record types at the name and will return exactly | exist) also have no record types at the name and will return exactly | |||
| the same Type Bit Maps field. | the same Type Bit Maps field. | |||
| This specification defines the use of NXNAME (128), a synthetic RR | This specification defines the use of NXNAME (128), a synthetic RR | |||
| type to signal the presence of a nonexistent name. See Section 9. | type to signal the presence of a nonexistent name. See Section 9. | |||
| The mnemonic for this RR type is NXNAME, chosen to clearly | The mnemonic for this RR type is NXNAME, chosen to clearly | |||
| distinguish it from the response code mnemonic NXDOMAIN. | distinguish it from the response code mnemonic NXDOMAIN. | |||
| This RR type is added to the NSEC Type Bit Maps field for responses | This RR type is added to the NSEC Type Bit Maps field for responses | |||
| to nonexistent names, in addition to the required RRSIG and NSEC | to nonexistent names, in addition to the mandated RRSIG and NSEC | |||
| types. If NSEC3 is being used, this RR type is the sole entry in the | types. If NSEC3 is being used, this RR type is the sole entry in the | |||
| Type Bit Maps field. It is a "Meta-TYPE", as defined in [RFC6895], | Type Bit Maps field. It is a "Meta-TYPE", as defined in [RFC6895], | |||
| and it stores no data in a DNS zone and cannot be usefully queried. | and it stores no data in a DNS zone and cannot be usefully queried. | |||
| Section 3.5 describes what a DNS resolver or authoritative server | Section 3.5 describes what a DNS resolver or authoritative server | |||
| should do if it receives an explicit query for NXNAME. | should do if it receives an explicit query for NXNAME. | |||
| No special handling of this RR type is required on the part of DNS | No special handling of this RR type is required on the part of DNS | |||
| resolvers. However, resolvers may optionally implement the behavior | resolvers. However, resolvers may optionally implement the behavior | |||
| described in Section 5.1 ("Signaled Response Code Restoration") to | described in Section 5.1 ("Signaled Response Code Restoration") to | |||
| better restore NXDOMAIN visibility to various applications that may | better restore NXDOMAIN visibility to various applications that may | |||
| skipping to change at line 182 ¶ | skipping to change at line 181 ¶ | |||
| The Next Domain Name field SHOULD be set to the immediate | The Next Domain Name field SHOULD be set to the immediate | |||
| lexicographic successor of the QNAME. This is accomplished by adding | lexicographic successor of the QNAME. This is accomplished by adding | |||
| a leading label with a single null (zero-value) octet. The Type Bit | a leading label with a single null (zero-value) octet. The Type Bit | |||
| Maps field MUST only have the bits set for the following RR Types: | Maps field MUST only have the bits set for the following RR Types: | |||
| RRSIG, NSEC, and NXNAME. | RRSIG, NSEC, and NXNAME. | |||
| For example, a request for the nonexistent name "a.example.com." | For example, a request for the nonexistent name "a.example.com." | |||
| would result in the generation of the following NSEC record (in DNS | would result in the generation of the following NSEC record (in DNS | |||
| presentation format): | presentation format): | |||
| a.example.com. 3600 IN NSEC \000.a.example.com. RRSIG NSEC NXNAME | a.example.com. 300 IN NSEC \000.a.example.com. RRSIG NSEC NXNAME | |||
| The NSEC record MUST have corresponding RRSIGs generated. | The NSEC record MUST have corresponding RRSIGs generated. | |||
| 3.2. Responses for Nonexistent Types | 3.2. Responses for Nonexistent Types | |||
| When the authoritative server receives a query for a name that exists | When the authoritative server receives a query for a name that exists | |||
| but has no resource record sets associated with the queried type, it | but has no resource record sets associated with the queried type, it | |||
| generates a NODATA response with a dynamically constructed signed | generates a NODATA response with a dynamically constructed signed | |||
| NSEC record in the Authority section. The owner name of the NSEC | NSEC record in the Authority section. The owner name of the NSEC | |||
| record matches the QNAME. The Next Domain Name field is set to the | record matches the QNAME. The Next Domain Name field is set to the | |||
| skipping to change at line 240 ¶ | skipping to change at line 239 ¶ | |||
| With Compact Denial of Existence, the Next Domain Name field for this | With Compact Denial of Existence, the Next Domain Name field for this | |||
| NSEC record is computed with a slightly different epsilon function | NSEC record is computed with a slightly different epsilon function | |||
| than the immediate lexicographic successor of the owner name, as that | than the immediate lexicographic successor of the owner name, as that | |||
| name would then fall under the delegated subzone. Instead, the Next | name would then fall under the delegated subzone. Instead, the Next | |||
| Domain Name field is formed by appending a zero octet to the first | Domain Name field is formed by appending a zero octet to the first | |||
| label of the owner name. | label of the owner name. | |||
| For example, a referral response for the subzone sub.example.com | For example, a referral response for the subzone sub.example.com | |||
| would include an NSEC record like the following: | would include an NSEC record like the following: | |||
| sub.example.com. 3600 IN NSEC sub\000.example.com. NS RRSIG NSEC | sub.example.com. 300 IN NSEC sub\000.example.com. NS RRSIG NSEC | |||
| 3.5. Responses to Explicit Queries for NXNAME | 3.5. Responses to Explicit Queries for NXNAME | |||
| NXNAME is a Meta-TYPE that should not appear anywhere in a DNS | NXNAME is a Meta-TYPE that SHOULD NOT appear anywhere in a DNS | |||
| message apart from the NSEC type bitmap of a Compact Answer response | message apart from the NSEC type bitmap of a Compact Answer response | |||
| for a nonexistent name. However, if a DNS server implementing this | for a nonexistent name. However, if a DNS server implementing this | |||
| specification receives an explicit query for the NXNAME RR type, this | specification receives an explicit query for the NXNAME RR type, this | |||
| section describes what the response should be. | section describes what the response ought to be. | |||
| If an explicit query for the NXNAME RR type is received, the DNS | If an explicit query for the NXNAME RR type is received, the DNS | |||
| server MUST return a Format Error (response code FORMERR). A | server MUST return a Format Error (response code FORMERR). A | |||
| resolver should not forward these queries upstream or attempt | resolver SHOULD NOT forward these queries upstream or attempt | |||
| iterative resolution. Many DNS server implementations already return | iterative resolution. Many DNS server implementations already return | |||
| errors for all types in the range for Meta-TYPEs and QTYPEs, except | errors for all types in the range for Meta-TYPEs and QTYPEs, except | |||
| those types that are already defined to support queries. | those types that are already defined to support queries. | |||
| Optionally, a DNS server MAY also include the following Extended DNS | Optionally, a DNS server MAY also include the following Extended DNS | |||
| Error (EDE) code [RFC8914] in the response: 30 (Invalid Query Type). | Error (EDE) code [RFC8914] in the response: 30 (Invalid Query Type). | |||
| See Section 9. | See Section 9. | |||
| Note that this EDE code is generally applicable to any RR type that | Note that this EDE code is generally applicable to any RR type that | |||
| should not appear in DNS queries. | ought not appear in DNS queries. | |||
| 4. Generating Responses with NSEC3 | 4. Generating Responses with NSEC3 | |||
| NSEC3 [RFC5155] uses hashed names to provide zone enumeration | NSEC3 [RFC5155] uses hashed names to provide zone enumeration | |||
| defense. This protection is already better provided by minimally | defense. This protection is better provided by minimally covering | |||
| covering NSEC records. NSEC3's Opt-Out feature also provides no | NSEC records. NSEC3's Opt-Out feature also provides no specific | |||
| specific benefit for online signing implementations (minimally | benefit for online signing implementations (minimally covering NSEC3 | |||
| covering NSEC3 records provide no useful Opt-Out span). Hence, there | records provide no useful Opt-Out span). Hence, there is no known | |||
| is no known advantage to implementing Compact Denial of Existence | advantage to implementing Compact Denial of Existence with NSEC3. | |||
| with NSEC3. However, an existing implementation of conventional | However, an existing implementation of conventional NSEC3 online | |||
| NSEC3 online signing migrating to Compact Denial of Existence may | signing migrating to Compact Denial of Existence may find it simpler | |||
| find it simpler to do so with NSEC3 rather than implementing NSEC | to do so with NSEC3 rather than implementing NSEC from scratch. | |||
| from scratch. | ||||
| For NSEC3, the functional details of the protocol remain as described | For NSEC3, the functional details of the protocol remain as described | |||
| in Section 3, with the following changes. | in Section 3, with the following changes. | |||
| NSEC3 records and their signatures are dynamically generated instead | NSEC3 records and their signatures are dynamically generated instead | |||
| of NSEC. | of NSEC. | |||
| The NSEC3 parameters should be set to algorithm 1, a flags field of | The NSEC3 parameters SHOULD be set to algorithm 1, a flags field of | |||
| 0, an additional hash iteration count of 0, and an empty salt. In | 0, an additional hash iteration count of 0, and an empty salt. In | |||
| DNS presentation format, this is "1 0 0 -". | DNS presentation format, this is "1 0 0 -". | |||
| The owner name of the NSEC3 resource record is the NSEC3 hash of the | The owner name of the NSEC3 resource record is the NSEC3 hash of the | |||
| relevant domain name, encoded in Base32 with Extended Hex Alphabet | relevant domain name, encoded in Base32 with Extended Hex Alphabet | |||
| ([RFC4648], Section 7), prepended as a single label to the name of | ([RFC4648], Section 7), prepended as a single label to the name of | |||
| the zone. The Next Hashed Owner Name is the immediate name successor | the zone. The Next Hashed Owner Name is the immediate name successor | |||
| of the unencoded binary form of the previous hash, which can be | of the unencoded binary form of the previous hash, which can be | |||
| computed by adding one to the binary hash value. | computed by adding one to the binary hash value. | |||
| skipping to change at line 715 ¶ | skipping to change at line 713 ¶ | |||
| Email: shuque@gmail.com | Email: shuque@gmail.com | |||
| Christian Elmerot | Christian Elmerot | |||
| Cloudflare | Cloudflare | |||
| 101 Townsend St. | 101 Townsend St. | |||
| San Francisco, CA 94107 | San Francisco, CA 94107 | |||
| United States of America | United States of America | |||
| Email: elmerot@cloudflare.com | Email: elmerot@cloudflare.com | |||
| Olafur Gudmundsson | Olafur Gudmundsson | |||
| Retired/Unaffiliated | ||||
| Email: ogud@ogud.com | Email: ogud@ogud.com | |||
| End of changes. 11 change blocks. | ||||
| 19 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||