> On 3 Aug 2025, at 20:20, John R Levine <[email protected]> wrote: > > Someone proposed this approach to prevent NSEC zone walking while doing > static signing: > > Divide your zone into the public names and the private names > > Sign the two sets separately > > Throw away the NSEC records from the private set, then merge them, so the > names from private set only have RRSIGs, the public set have RRSIGs and NSEC > > The idea is that if you look up private names you'll get the RRSIG to prove > it's real, but if you look up anything else, the NSECs won't give them away. > > I can think of at least two reasons this won't work. One is that if you > query for a private name but an RRTYPE that doesn't exist at that name (for > example, you query for AAAA but it only has A) there's no NSEC to prove that > the name exists but the RRTYPE doesn't. Another is that if your cache does > RFC 8198 NXDOMAIN synthesis, it'll give you NXDOMAIN for private names that > happen to be in a cached NSEC range. > > Am I missing anything? Asking for a friend. >
You’re not missing anything. Aggressive negative caching will kill this idea. Roy > R's, > John > > PS: You don't have to tell me about NSEC3 or white lies or black lies, I know > they exist and they work. I wrote a white lie server for abuse.net in about > 400 lines of python. It wasn't hard. > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
