automatic reverse and forwarding zones
Havard Eidnes
he at uninett.no
Thu Oct 27 10:45:00 UTC 2022
> > It probably does not play well with DNSSEC, although I was thinking
> > about whether some amount of wildcards in the signed reverse could
> > help, but I don't think so.
>
> Well, what if the reverse is an NSEC3.... does that let the server
> make up stuff with having to sign it all? I don't think so, but
> I'm thinking out loud here.
Not sure what you're thinking of here. "A reverse" is, I think,
most often thought to be a PTR record, so it can't be an NSEC3
record.
A DNS reply which includes the NSEC3 records is typically given as
part of an "authenticated denial of existence" response, i.e. the
server expresses "there is no name in the zone matching the queried-
for name, and there is no name between those names with these hashes
in the zone", and the status code in the reply is then NXDOMAIN.
This also means that no wildcard record in the zone matched the
queried-for name.
The publishing name server then has no way to "make up stuff", and
there's no need to sign anything on the fly -- the NSEC3 records and
their signatures can be pre-computed when the zone contents is known
(typically when it is loaded).
Regards,
- Håvard
More information about the bind-users
mailing list