summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5155.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5155.txt')
-rw-r--r--doc/rfc/rfc5155.txt2915
1 files changed, 2915 insertions, 0 deletions
diff --git a/doc/rfc/rfc5155.txt b/doc/rfc/rfc5155.txt
new file mode 100644
index 0000000..d4b7297
--- /dev/null
+++ b/doc/rfc/rfc5155.txt
@@ -0,0 +1,2915 @@
+
+
+
+
+
+
+Network Working Group B. Laurie
+Request for Comments: 5155 G. Sisson
+Category: Standards Track R. Arends
+ Nominet
+ D. Blacka
+ VeriSign, Inc.
+ March 2008
+
+
+ DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ The Domain Name System Security (DNSSEC) Extensions introduced the
+ NSEC resource record (RR) for authenticated denial of existence.
+ This document introduces an alternative resource record, NSEC3, which
+ similarly provides authenticated denial of existence. However, it
+ also provides measures against zone enumeration and permits gradual
+ expansion of delegation-centric zones.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Backwards Compatibility . . . . . . . . . . . . . . . . . . . 6
+ 3. The NSEC3 Resource Record . . . . . . . . . . . . . . . . . . 7
+ 3.1. RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.1. Hash Algorithm . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.2. Flags . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.3. Iterations . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.4. Salt Length . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.5. Salt . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1.6. Hash Length . . . . . . . . . . . . . . . . . . . . . 9
+ 3.1.7. Next Hashed Owner Name . . . . . . . . . . . . . . . . 9
+ 3.1.8. Type Bit Maps . . . . . . . . . . . . . . . . . . . . 9
+ 3.2. NSEC3 RDATA Wire Format . . . . . . . . . . . . . . . . . 9
+ 3.2.1. Type Bit Maps Encoding . . . . . . . . . . . . . . . . 10
+ 3.3. Presentation Format . . . . . . . . . . . . . . . . . . . 11
+
+
+
+Laurie, et al. Standards Track [Page 1]
+
+RFC 5155 NSEC3 March 2008
+
+
+ 4. The NSEC3PARAM Resource Record . . . . . . . . . . . . . . . . 12
+ 4.1. RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.1. Hash Algorithm . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.2. Flag Fields . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.3. Iterations . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.1.4. Salt Length . . . . . . . . . . . . . . . . . . . . . 13
+ 4.1.5. Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.2. NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 13
+ 4.3. Presentation Format . . . . . . . . . . . . . . . . . . . 14
+ 5. Calculation of the Hash . . . . . . . . . . . . . . . . . . . 14
+ 6. Opt-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+ 7. Authoritative Server Considerations . . . . . . . . . . . . . 16
+ 7.1. Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 16
+ 7.2. Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 17
+ 7.2.1. Closest Encloser Proof . . . . . . . . . . . . . . . . 18
+ 7.2.2. Name Error Responses . . . . . . . . . . . . . . . . . 19
+ 7.2.3. No Data Responses, QTYPE is not DS . . . . . . . . . . 19
+ 7.2.4. No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
+ 7.2.5. Wildcard No Data Responses . . . . . . . . . . . . . . 19
+ 7.2.6. Wildcard Answer Responses . . . . . . . . . . . . . . 20
+ 7.2.7. Referrals to Unsigned Subzones . . . . . . . . . . . . 20
+ 7.2.8. Responding to Queries for NSEC3 Owner Names . . . . . 20
+ 7.2.9. Server Response to a Run-Time Collision . . . . . . . 21
+ 7.3. Secondary Servers . . . . . . . . . . . . . . . . . . . . 21
+ 7.4. Zones Using Unknown Hash Algorithms . . . . . . . . . . . 21
+ 7.5. Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
+ 8. Validator Considerations . . . . . . . . . . . . . . . . . . . 23
+ 8.1. Responses with Unknown Hash Types . . . . . . . . . . . . 23
+ 8.2. Verifying NSEC3 RRs . . . . . . . . . . . . . . . . . . . 23
+ 8.3. Closest Encloser Proof . . . . . . . . . . . . . . . . . . 23
+ 8.4. Validating Name Error Responses . . . . . . . . . . . . . 24
+ 8.5. Validating No Data Responses, QTYPE is not DS . . . . . . 24
+ 8.6. Validating No Data Responses, QTYPE is DS . . . . . . . . 24
+ 8.7. Validating Wildcard No Data Responses . . . . . . . . . . 25
+ 8.8. Validating Wildcard Answer Responses . . . . . . . . . . . 25
+ 8.9. Validating Referrals to Unsigned Subzones . . . . . . . . 25
+ 9. Resolver Considerations . . . . . . . . . . . . . . . . . . . 26
+ 9.1. NSEC3 Resource Record Caching . . . . . . . . . . . . . . 26
+ 9.2. Use of the AD Bit . . . . . . . . . . . . . . . . . . . . 26
+ 10. Special Considerations . . . . . . . . . . . . . . . . . . . . 26
+ 10.1. Domain Name Length Restrictions . . . . . . . . . . . . . 26
+ 10.2. DNAME at the Zone Apex . . . . . . . . . . . . . . . . . . 27
+ 10.3. Iterations . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 10.4. Transitioning a Signed Zone from NSEC to NSEC3 . . . . . . 28
+ 10.5. Transitioning a Signed Zone from NSEC3 to NSEC . . . . . . 28
+ 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
+ 12. Security Considerations . . . . . . . . . . . . . . . . . . . 30
+ 12.1. Hashing Considerations . . . . . . . . . . . . . . . . . . 30
+
+
+
+Laurie, et al. Standards Track [Page 2]
+
+RFC 5155 NSEC3 March 2008
+
+
+ 12.1.1. Dictionary Attacks . . . . . . . . . . . . . . . . . . 30
+ 12.1.2. Collisions . . . . . . . . . . . . . . . . . . . . . . 31
+ 12.1.3. Transitioning to a New Hash Algorithm . . . . . . . . 31
+ 12.1.4. Using High Iteration Values . . . . . . . . . . . . . 31
+ 12.2. Opt-Out Considerations . . . . . . . . . . . . . . . . . . 32
+ 12.3. Other Considerations . . . . . . . . . . . . . . . . . . . 33
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . . 33
+ 13.2. Informative References . . . . . . . . . . . . . . . . . . 34
+ Appendix A. Example Zone . . . . . . . . . . . . . . . . . . . . 35
+ Appendix B. Example Responses . . . . . . . . . . . . . . . . . . 40
+ B.1. Name Error . . . . . . . . . . . . . . . . . . . . . . . . 40
+ B.2. No Data Error . . . . . . . . . . . . . . . . . . . . . . 42
+ B.2.1. No Data Error, Empty Non-Terminal . . . . . . . . . . 43
+ B.3. Referral to an Opt-Out Unsigned Zone . . . . . . . . . . . 44
+ B.4. Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 45
+ B.5. Wildcard No Data Error . . . . . . . . . . . . . . . . . . 46
+ B.6. DS Child Zone No Data Error . . . . . . . . . . . . . . . 48
+ Appendix C. Special Considerations . . . . . . . . . . . . . . . 48
+ C.1. Salting . . . . . . . . . . . . . . . . . . . . . . . . . 49
+ C.2. Hash Collision . . . . . . . . . . . . . . . . . . . . . . 49
+ C.2.1. Avoiding Hash Collisions During Generation . . . . . . 50
+ C.2.2. Second Preimage Requirement Analysis . . . . . . . . . 50
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 3]
+
+RFC 5155 NSEC3 March 2008
+
+
+1. Introduction
+
+1.1. Rationale
+
+ The DNS Security Extensions included the NSEC RR to provide
+ authenticated denial of existence. Though the NSEC RR meets the
+ requirements for authenticated denial of existence, it introduces a
+ side-effect in that the contents of a zone can be enumerated. This
+ property introduces undesired policy issues.
+
+ The enumeration is enabled by the set of NSEC records that exists
+ inside a signed zone. An NSEC record lists two names that are
+ ordered canonically, in order to show that nothing exists between the
+ two names. The complete set of NSEC records lists all the names in a
+ zone. It is trivial to enumerate the content of a zone by querying
+ for names that do not exist.
+
+ An enumerated zone can be used, for example, as a source of probable
+ e-mail addresses for spam, or as a key for multiple WHOIS queries to
+ reveal registrant data that many registries may have legal
+ obligations to protect. Many registries therefore prohibit the
+ copying of their zone data; however, the use of NSEC RRs renders
+ these policies unenforceable.
+
+ A second problem is that the cost to cryptographically secure
+ delegations to unsigned zones is high, relative to the perceived
+ security benefit, in two cases: large, delegation-centric zones, and
+ zones where insecure delegations will be updated rapidly. In these
+ cases, the costs of maintaining the NSEC RR chain may be extremely
+ high and use of the "Opt-Out" convention may be more appropriate (for
+ these unsecured zones).
+
+ This document presents the NSEC3 Resource Record which can be used as
+ an alternative to NSEC to mitigate these issues.
+
+ Earlier work to address these issues include [DNSEXT-NO], [RFC4956],
+ and [DNSEXT-NSEC2v2].
+
+1.2. Requirements
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 4]
+
+RFC 5155 NSEC3 March 2008
+
+
+1.3. Terminology
+
+ The reader is assumed to be familiar with the basic DNS and DNSSEC
+ concepts described in [RFC1034], [RFC1035], [RFC4033], [RFC4034],
+ [RFC4035], and subsequent RFCs that update them: [RFC2136],
+ [RFC2181], and [RFC2308].
+
+ The following terminology is used throughout this document:
+
+ Zone enumeration: the practice of discovering the full content of a
+ zone via successive queries. Zone enumeration was non-trivial
+ prior to the introduction of DNSSEC.
+
+ Original owner name: the owner name corresponding to a hashed owner
+ name.
+
+ Hashed owner name: the owner name created after applying the hash
+ function to an owner name.
+
+ Hash order: the order in which hashed owner names are arranged
+ according to their numerical value, treating the leftmost (lowest
+ numbered) octet as the most significant octet. Note that this
+ order is the same as the canonical DNS name order specified in
+ [RFC4034], when the hashed owner names are in base32, encoded with
+ an Extended Hex Alphabet [RFC4648].
+
+ Empty non-terminal: a domain name that owns no resource records, but
+ has one or more subdomains that do.
+
+ Delegation: an NS RRSet with a name different from the current zone
+ apex (non-zone-apex), signifying a delegation to a child zone.
+
+ Secure delegation: a name containing a delegation (NS RRSet) and a
+ signed DS RRSet, signifying a delegation to a signed child zone.
+
+ Insecure delegation: a name containing a delegation (NS RRSet), but
+ lacking a DS RRSet, signifying a delegation to an unsigned child
+ zone.
+
+ Opt-Out NSEC3 resource record: an NSEC3 resource record that has the
+ Opt-Out flag set to 1.
+
+ Opt-Out zone: a zone with at least one Opt-Out NSEC3 RR.
+
+ Closest encloser: the longest existing ancestor of a name. See also
+ Section 3.3.1 of [RFC4592].
+
+
+
+
+
+Laurie, et al. Standards Track [Page 5]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Closest provable encloser: the longest ancestor of a name that can
+ be proven to exist. Note that this is only different from the
+ closest encloser in an Opt-Out zone.
+
+ Next closer name: the name one label longer than the closest
+ provable encloser of a name.
+
+ Base32: the "Base 32 Encoding with Extended Hex Alphabet" as
+ specified in [RFC4648]. Note that trailing padding characters
+ ("=") are not used in the NSEC3 specification.
+
+ To cover: An NSEC3 RR is said to "cover" a name if the hash of the
+ name or "next closer" name falls between the owner name and the
+ next hashed owner name of the NSEC3. In other words, if it proves
+ the nonexistence of the name, either directly or by proving the
+ nonexistence of an ancestor of the name.
+
+ To match: An NSEC3 RR is said to "match" a name if the owner name of
+ the NSEC3 RR is the same as the hashed owner name of that name.
+
+2. Backwards Compatibility
+
+ This specification describes a protocol change that is not generally
+ backwards compatible with [RFC4033], [RFC4034], and [RFC4035]. In
+ particular, security-aware resolvers that are unaware of this
+ specification (NSEC3-unaware resolvers) may fail to validate the
+ responses introduced by this document.
+
+ In order to aid deployment, this specification uses a signaling
+ technique to prevent NSEC3-unaware resolvers from attempting to
+ validate responses from NSEC3-signed zones.
+
+ This specification allocates two new DNSKEY algorithm identifiers for
+ this purpose. Algorithm 6, DSA-NSEC3-SHA1 is an alias for algorithm
+ 3, DSA. Algorithm 7, RSASHA1-NSEC3-SHA1 is an alias for algorithm 5,
+ RSASHA1. These are not new algorithms, they are additional
+ identifiers for the existing algorithms.
+
+ Zones signed according to this specification MUST only use these
+ algorithm identifiers for their DNSKEY RRs. Because these new
+ identifiers will be unknown algorithms to existing, NSEC3-unaware
+ resolvers, those resolvers will then treat responses from the NSEC3
+ signed zone as insecure, as detailed in Section 5.2 of [RFC4035].
+
+ These algorithm identifiers are used with the NSEC3 hash algorithm
+ SHA1. Using other NSEC3 hash algorithms requires allocation of a new
+ alias (see Section 12.1.3).
+
+
+
+
+Laurie, et al. Standards Track [Page 6]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Security aware resolvers that are aware of this specification MUST
+ recognize the new algorithm identifiers and treat them as equivalent
+ to the algorithms that they alias.
+
+ A methodology for transitioning from a DNSSEC signed zone to a zone
+ signed using NSEC3 is discussed in Section 10.4.
+
+3. The NSEC3 Resource Record
+
+ The NSEC3 Resource Record (RR) provides authenticated denial of
+ existence for DNS Resource Record Sets.
+
+ The NSEC3 RR lists RR types present at the original owner name of the
+ NSEC3 RR. It includes the next hashed owner name in the hash order
+ of the zone. The complete set of NSEC3 RRs in a zone indicates which
+ RRSets exist for the original owner name of the RR and form a chain
+ of hashed owner names in the zone. This information is used to
+ provide authenticated denial of existence for DNS data. To provide
+ protection against zone enumeration, the owner names used in the
+ NSEC3 RR are cryptographic hashes of the original owner name
+ prepended as a single label to the name of the zone. The NSEC3 RR
+ indicates which hash function is used to construct the hash, which
+ salt is used, and how many iterations of the hash function are
+ performed over the original owner name. The hashing technique is
+ described fully in Section 5.
+
+ Hashed owner names of unsigned delegations may be excluded from the
+ chain. An NSEC3 RR whose span covers the hash of an owner name or
+ "next closer" name of an unsigned delegation is referred to as an
+ Opt-Out NSEC3 RR and is indicated by the presence of a flag.
+
+ The owner name for the NSEC3 RR is the base32 encoding of the hashed
+ owner name prepended as a single label to the name of the zone.
+
+ The type value for the NSEC3 RR is 50.
+
+ The NSEC3 RR RDATA format is class independent and is described
+ below.
+
+ The class MUST be the same as the class of the original owner name.
+
+ The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
+ field. This is in the spirit of negative caching [RFC2308].
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 7]
+
+RFC 5155 NSEC3 March 2008
+
+
+3.1. RDATA Fields
+
+3.1.1. Hash Algorithm
+
+ The Hash Algorithm field identifies the cryptographic hash algorithm
+ used to construct the hash-value.
+
+ The values for this field are defined in the NSEC3 hash algorithm
+ registry defined in Section 11.
+
+3.1.2. Flags
+
+ The Flags field contains 8 one-bit flags that can be used to indicate
+ different processing. All undefined flags must be zero. The only
+ flag defined by this specification is the Opt-Out flag.
+
+3.1.2.1. Opt-Out Flag
+
+ If the Opt-Out flag is set, the NSEC3 record covers zero or more
+ unsigned delegations.
+
+ If the Opt-Out flag is clear, the NSEC3 record covers zero unsigned
+ delegations.
+
+ The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned
+ delegations. It is the least significant bit in the Flags field.
+ See Section 6 for details about the use of this flag.
+
+3.1.3. Iterations
+
+ The Iterations field defines the number of additional times the hash
+ function has been performed. More iterations result in greater
+ resiliency of the hash value against dictionary attacks, but at a
+ higher computational cost for both the server and resolver. See
+ Section 5 for details of the use of this field, and Section 10.3 for
+ limitations on the value.
+
+3.1.4. Salt Length
+
+ The Salt Length field defines the length of the Salt field in octets,
+ ranging in value from 0 to 255.
+
+3.1.5. Salt
+
+ The Salt field is appended to the original owner name before hashing
+ in order to defend against pre-calculated dictionary attacks. See
+ Section 5 for details on how the salt is used.
+
+
+
+
+Laurie, et al. Standards Track [Page 8]
+
+RFC 5155 NSEC3 March 2008
+
+
+3.1.6. Hash Length
+
+ The Hash Length field defines the length of the Next Hashed Owner
+ Name field, ranging in value from 1 to 255 octets.
+
+3.1.7. Next Hashed Owner Name
+
+ The Next Hashed Owner Name field contains the next hashed owner name
+ in hash order. This value is in binary format. Given the ordered
+ set of all hashed owner names, the Next Hashed Owner Name field
+ contains the hash of an owner name that immediately follows the owner
+ name of the given NSEC3 RR. The value of the Next Hashed Owner Name
+ field in the last NSEC3 RR in the zone is the same as the hashed
+ owner name of the first NSEC3 RR in the zone in hash order. Note
+ that, unlike the owner name of the NSEC3 RR, the value of this field
+ does not contain the appended zone name.
+
+3.1.8. Type Bit Maps
+
+ The Type Bit Maps field identifies the RRSet types that exist at the
+ original owner name of the NSEC3 RR.
+
+3.2. NSEC3 RDATA Wire Format
+
+ The RDATA of the NSEC3 RR is as shown below:
+
+ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Hash Alg. | Flags | Iterations |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Salt Length | Salt /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Hash Length | Next Hashed Owner Name /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / Type Bit Maps /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Hash Algorithm is a single octet.
+
+ Flags field is a single octet, the Opt-Out flag is the least
+ significant bit, as shown below:
+
+ 0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | |O|
+ +-+-+-+-+-+-+-+-+
+
+
+
+
+Laurie, et al. Standards Track [Page 9]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Iterations is represented as a 16-bit unsigned integer, with the most
+ significant bit first.
+
+ Salt Length is represented as an unsigned octet. Salt Length
+ represents the length of the Salt field in octets. If the value is
+ zero, the following Salt field is omitted.
+
+ Salt, if present, is encoded as a sequence of binary octets. The
+ length of this field is determined by the preceding Salt Length
+ field.
+
+ Hash Length is represented as an unsigned octet. Hash Length
+ represents the length of the Next Hashed Owner Name field in octets.
+
+ The next hashed owner name is not base32 encoded, unlike the owner
+ name of the NSEC3 RR. It is the unmodified binary hash value. It
+ does not include the name of the containing zone. The length of this
+ field is determined by the preceding Hash Length field.
+
+3.2.1. Type Bit Maps Encoding
+
+ The encoding of the Type Bit Maps field is the same as that used by
+ the NSEC RR, described in [RFC4034]. It is explained and clarified
+ here for clarity.
+
+ The RR type space is split into 256 window blocks, each representing
+ the low-order 8 bits of the 16-bit RR type space. Each block that
+ has at least one active RR type is encoded using a single octet
+ window number (from 0 to 255), a single octet bitmap length (from 1
+ to 32) indicating the number of octets used for the bitmap of the
+ window block, and up to 32 octets (256 bits) of bitmap.
+
+ Blocks are present in the NSEC3 RR RDATA in increasing numerical
+ order.
+
+ Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+ where "|" denotes concatenation.
+
+ Each bitmap encodes the low-order 8 bits of RR types within the
+ window block, in network bit order. The first bit is bit 0. For
+ window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+ to RR type 2 (NS), and so forth. For window block 1, bit 1
+ corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to
+ 1, it indicates that an RRSet of that type is present for the
+ original owner name of the NSEC3 RR. If a bit is set to 0, it
+ indicates that no RRSet of that type is present for the original
+ owner name of the NSEC3 RR.
+
+
+
+Laurie, et al. Standards Track [Page 10]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Since bit 0 in window block 0 refers to the non-existing RR type 0,
+ it MUST be set to 0. After verification, the validator MUST ignore
+ the value of bit 0 in window block 0.
+
+ Bits representing Meta-TYPEs or QTYPEs as specified in Section 3.1 of
+ [RFC2929] or within the range reserved for assignment only to QTYPEs
+ and Meta-TYPEs MUST be set to 0, since they do not appear in zone
+ data. If encountered, they must be ignored upon reading.
+
+ Blocks with no types present MUST NOT be included. Trailing zero
+ octets in the bitmap MUST be omitted. The length of the bitmap of
+ each block is determined by the type code with the largest numerical
+ value, within that block, among the set of RR types present at the
+ original owner name of the NSEC3 RR. Trailing octets not specified
+ MUST be interpreted as zero octets.
+
+3.3. Presentation Format
+
+ The presentation format of the RDATA portion is as follows:
+
+ o The Hash Algorithm field is represented as an unsigned decimal
+ integer. The value has a maximum of 255.
+
+ o The Flags field is represented as an unsigned decimal integer.
+ The value has a maximum of 255.
+
+ o The Iterations field is represented as an unsigned decimal
+ integer. The value is between 0 and 65535, inclusive.
+
+ o The Salt Length field is not represented.
+
+ o The Salt field is represented as a sequence of case-insensitive
+ hexadecimal digits. Whitespace is not allowed within the
+ sequence. The Salt field is represented as "-" (without the
+ quotes) when the Salt Length field has a value of 0.
+
+ o The Hash Length field is not represented.
+
+ o The Next Hashed Owner Name field is represented as an unpadded
+ sequence of case-insensitive base32 digits, without whitespace.
+
+ o The Type Bit Maps field is represented as a sequence of RR type
+ mnemonics. When the mnemonic is not known, the TYPE
+ representation as described in Section 5 of [RFC3597] MUST be
+ used.
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 11]
+
+RFC 5155 NSEC3 March 2008
+
+
+4. The NSEC3PARAM Resource Record
+
+ The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
+ flags, iterations, and salt) needed by authoritative servers to
+ calculate hashed owner names. The presence of an NSEC3PARAM RR at a
+ zone apex indicates that the specified parameters may be used by
+ authoritative servers to choose an appropriate set of NSEC3 RRs for
+ negative responses. The NSEC3PARAM RR is not used by validators or
+ resolvers.
+
+ If an NSEC3PARAM RR is present at the apex of a zone with a Flags
+ field value of zero, then there MUST be an NSEC3 RR using the same
+ hash algorithm, iterations, and salt parameters present at every
+ hashed owner name in the zone. That is, the zone MUST contain a
+ complete set of NSEC3 RRs with the same hash algorithm, iterations,
+ and salt parameters.
+
+ The owner name for the NSEC3PARAM RR is the name of the zone apex.
+
+ The type value for the NSEC3PARAM RR is 51.
+
+ The NSEC3PARAM RR RDATA format is class independent and is described
+ below.
+
+ The class MUST be the same as the NSEC3 RRs to which this RR refers.
+
+4.1. RDATA Fields
+
+ The RDATA for this RR mirrors the first four fields in the NSEC3 RR.
+
+4.1.1. Hash Algorithm
+
+ The Hash Algorithm field identifies the cryptographic hash algorithm
+ used to construct the hash-value.
+
+ The acceptable values are the same as the corresponding field in the
+ NSEC3 RR.
+
+4.1.2. Flag Fields
+
+ The Opt-Out flag is not used and is set to zero.
+
+ All other flags are reserved for future use, and must be zero.
+
+ NSEC3PARAM RRs with a Flags field value other than zero MUST be
+ ignored.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 12]
+
+RFC 5155 NSEC3 March 2008
+
+
+4.1.3. Iterations
+
+ The Iterations field defines the number of additional times the hash
+ is performed.
+
+ Its acceptable values are the same as the corresponding field in the
+ NSEC3 RR.
+
+4.1.4. Salt Length
+
+ The Salt Length field defines the length of the salt in octets,
+ ranging in value from 0 to 255.
+
+4.1.5. Salt
+
+ The Salt field is appended to the original owner name before hashing.
+
+4.2. NSEC3PARAM RDATA Wire Format
+
+ The RDATA of the NSEC3PARAM RR is as shown below:
+
+ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Hash Alg. | Flags | Iterations |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Salt Length | Salt /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Hash Algorithm is a single octet.
+
+ Flags field is a single octet.
+
+ Iterations is represented as a 16-bit unsigned integer, with the most
+ significant bit first.
+
+ Salt Length is represented as an unsigned octet. Salt Length
+ represents the length of the following Salt field in octets. If the
+ value is zero, the Salt field is omitted.
+
+ Salt, if present, is encoded as a sequence of binary octets. The
+ length of this field is determined by the preceding Salt Length
+ field.
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 13]
+
+RFC 5155 NSEC3 March 2008
+
+
+4.3. Presentation Format
+
+ The presentation format of the RDATA portion is as follows:
+
+ o The Hash Algorithm field is represented as an unsigned decimal
+ integer. The value has a maximum of 255.
+
+ o The Flags field is represented as an unsigned decimal integer.
+ The value has a maximum value of 255.
+
+ o The Iterations field is represented as an unsigned decimal
+ integer. The value is between 0 and 65535, inclusive.
+
+ o The Salt Length field is not represented.
+
+ o The Salt field is represented as a sequence of case-insensitive
+ hexadecimal digits. Whitespace is not allowed within the
+ sequence. This field is represented as "-" (without the quotes)
+ when the Salt Length field is zero.
+
+5. Calculation of the Hash
+
+ The hash calculation uses three of the NSEC3 RDATA fields: Hash
+ Algorithm, Salt, and Iterations.
+
+ Define H(x) to be the hash of x using the Hash Algorithm selected by
+ the NSEC3 RR, k to be the number of Iterations, and || to indicate
+ concatenation. Then define:
+
+ IH(salt, x, 0) = H(x || salt), and
+
+ IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0
+
+ Then the calculated hash of an owner name is
+
+ IH(salt, owner name, iterations),
+
+ where the owner name is in the canonical form, defined as:
+
+ The wire format of the owner name where:
+
+ 1. The owner name is fully expanded (no DNS name compression) and
+ fully qualified;
+
+ 2. All uppercase US-ASCII letters are replaced by the corresponding
+ lowercase US-ASCII letters;
+
+
+
+
+
+Laurie, et al. Standards Track [Page 14]
+
+RFC 5155 NSEC3 March 2008
+
+
+ 3. If the owner name is a wildcard name, the owner name is in its
+ original unexpanded form, including the "*" label (no wildcard
+ substitution);
+
+ This form is as defined in Section 6.2 of [RFC4034].
+
+ The method to calculate the Hash is based on [RFC2898].
+
+6. Opt-Out
+
+ In this specification, as in [RFC4033], [RFC4034] and [RFC4035], NS
+ RRSets at delegation points are not signed and may be accompanied by
+ a DS RRSet. With the Opt-Out bit clear, the security status of the
+ child zone is determined by the presence or absence of this DS RRSet,
+ cryptographically proven by the signed NSEC3 RR at the hashed owner
+ name of the delegation. Setting the Opt-Out flag modifies this by
+ allowing insecure delegations to exist within the signed zone without
+ a corresponding NSEC3 RR at the hashed owner name of the delegation.
+
+ An Opt-Out NSEC3 RR is said to cover a delegation if the hash of the
+ owner name or "next closer" name of the delegation is between the
+ owner name of the NSEC3 RR and the next hashed owner name.
+
+ An Opt-Out NSEC3 RR does not assert the existence or non-existence of
+ the insecure delegations that it may cover. This allows for the
+ addition or removal of these delegations without recalculating or re-
+ signing RRs in the NSEC3 RR chain. However, Opt-Out NSEC3 RRs do
+ assert the (non)existence of other, authoritative RRSets.
+
+ An Opt-Out NSEC3 RR MAY have the same original owner name as an
+ insecure delegation. In this case, the delegation is proven insecure
+ by the lack of a DS bit in the type map and the signed NSEC3 RR does
+ assert the existence of the delegation.
+
+ Zones using Opt-Out MAY contain a mixture of Opt-Out NSEC3 RRs and
+ non-Opt-Out NSEC3 RRs. If an NSEC3 RR is not Opt-Out, there MUST NOT
+ be any hashed owner names of insecure delegations (nor any other RRs)
+ between it and the name indicated by the next hashed owner name in
+ the NSEC3 RDATA. If it is Opt-Out, it MUST only cover hashed owner
+ names or hashed "next closer" names of insecure delegations.
+
+ The effects of the Opt-Out flag on signing, serving, and validating
+ responses are covered in following sections.
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 15]
+
+RFC 5155 NSEC3 March 2008
+
+
+7. Authoritative Server Considerations
+
+7.1. Zone Signing
+
+ Zones using NSEC3 must satisfy the following properties:
+
+ o Each owner name within the zone that owns authoritative RRSets
+ MUST have a corresponding NSEC3 RR. Owner names that correspond
+ to unsigned delegations MAY have a corresponding NSEC3 RR.
+ However, if there is not a corresponding NSEC3 RR, there MUST be
+ an Opt-Out NSEC3 RR that covers the "next closer" name to the
+ delegation. Other non-authoritative RRs are not represented by
+ NSEC3 RRs.
+
+ o Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
+ the empty non-terminal is only derived from an insecure delegation
+ covered by an Opt-Out NSEC3 RR.
+
+ o The TTL value for any NSEC3 RR SHOULD be the same as the minimum
+ TTL value field in the zone SOA RR.
+
+ o The Type Bit Maps field of every NSEC3 RR in a signed zone MUST
+ indicate the presence of all types present at the original owner
+ name, except for the types solely contributed by an NSEC3 RR
+ itself. Note that this means that the NSEC3 type itself will
+ never be present in the Type Bit Maps.
+
+ The following steps describe a method of proper construction of NSEC3
+ RRs. This is not the only such possible method.
+
+ 1. Select the hash algorithm and the values for salt and iterations.
+
+ 2. For each unique original owner name in the zone add an NSEC3 RR.
+
+ * If Opt-Out is being used, owner names of unsigned delegations
+ MAY be excluded.
+
+ * The owner name of the NSEC3 RR is the hash of the original
+ owner name, prepended as a single label to the zone name.
+
+ * The Next Hashed Owner Name field is left blank for the moment.
+
+ * If Opt-Out is being used, set the Opt-Out bit to one.
+
+ * For collision detection purposes, optionally keep track of the
+ original owner name with the NSEC3 RR.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 16]
+
+RFC 5155 NSEC3 March 2008
+
+
+ * Additionally, for collision detection purposes, optionally
+ create an additional NSEC3 RR corresponding to the original
+ owner name with the asterisk label prepended (i.e., as if a
+ wildcard existed as a child of this owner name) and keep track
+ of this original owner name. Mark this NSEC3 RR as temporary.
+
+ 3. For each RRSet at the original owner name, set the corresponding
+ bit in the Type Bit Maps field.
+
+ 4. If the difference in number of labels between the apex and the
+ original owner name is greater than 1, additional NSEC3 RRs need
+ to be added for every empty non-terminal between the apex and the
+ original owner name. This process may generate NSEC3 RRs with
+ duplicate hashed owner names. Optionally, for collision
+ detection, track the original owner names of these NSEC3 RRs and
+ create temporary NSEC3 RRs for wildcard collisions in a similar
+ fashion to step 1.
+
+ 5. Sort the set of NSEC3 RRs into hash order.
+
+ 6. Combine NSEC3 RRs with identical hashed owner names by replacing
+ them with a single NSEC3 RR with the Type Bit Maps field
+ consisting of the union of the types represented by the set of
+ NSEC3 RRs. If the original owner name was tracked, then
+ collisions may be detected when combining, as all of the matching
+ NSEC3 RRs should have the same original owner name. Discard any
+ possible temporary NSEC3 RRs.
+
+ 7. In each NSEC3 RR, insert the next hashed owner name by using the
+ value of the next NSEC3 RR in hash order. The next hashed owner
+ name of the last NSEC3 RR in the zone contains the value of the
+ hashed owner name of the first NSEC3 RR in the hash order.
+
+ 8. Finally, add an NSEC3PARAM RR with the same Hash Algorithm,
+ Iterations, and Salt fields to the zone apex.
+
+ If a hash collision is detected, then a new salt has to be chosen,
+ and the signing process restarted.
+
+7.2. Zone Serving
+
+ This specification modifies DNSSEC-enabled DNS responses generated by
+ authoritative servers. In particular, it replaces the use of NSEC
+ RRs in such responses with NSEC3 RRs.
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 17]
+
+RFC 5155 NSEC3 March 2008
+
+
+ In the following response cases, the NSEC RRs dictated by DNSSEC
+ [RFC4035] are replaced with NSEC3 RRs that prove the same facts.
+ Responses that would not contain NSEC RRs are unchanged by this
+ specification.
+
+ When returning responses containing multiple NSEC3 RRs, all of the
+ NSEC3 RRs MUST use the same hash algorithm, iteration, and salt
+ values. The Flags field value MUST be either zero or one.
+
+7.2.1. Closest Encloser Proof
+
+ For many NSEC3 responses a proof of the closest encloser is required.
+ This is a proof that some ancestor of the QNAME is the closest
+ encloser of QNAME.
+
+ This proof consists of (up to) two different NSEC3 RRs:
+
+ o An NSEC3 RR that matches the closest (provable) encloser.
+
+ o An NSEC3 RR that covers the "next closer" name to the closest
+ encloser.
+
+ The first NSEC3 RR essentially proposes a possible closest encloser,
+ and proves that the particular encloser does, in fact, exist. The
+ second NSEC3 RR proves that the possible closest encloser is the
+ closest, and proves that the QNAME (and any ancestors between QNAME
+ and the closest encloser) does not exist.
+
+ These NSEC3 RRs are collectively referred to as the "closest encloser
+ proof" in the subsequent descriptions.
+
+ For example, the closest encloser proof for the nonexistent
+ "alpha.beta.gamma.example." owner name might prove that
+ "gamma.example." is the closest encloser. This response would
+ contain the NSEC3 RR that matches "gamma.example.", and would also
+ contain the NSEC3 RR that covers "beta.gamma.example." (which is the
+ "next closer" name).
+
+ It is possible, when using Opt-Out (Section 6), to not be able to
+ prove the actual closest encloser because it is, or is part of an
+ insecure delegation covered by an Opt-Out span. In this case,
+ instead of proving the actual closest encloser, the closest provable
+ encloser is used. That is, the closest enclosing authoritative name
+ is used instead. In this case, the set of NSEC3 RRs used for this
+ proof is referred to as the "closest provable encloser proof".
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 18]
+
+RFC 5155 NSEC3 March 2008
+
+
+7.2.2. Name Error Responses
+
+ To prove the nonexistence of QNAME, a closest encloser proof and an
+ NSEC3 RR covering the (nonexistent) wildcard RR at the closest
+ encloser MUST be included in the response. This collection of (up
+ to) three NSEC3 RRs proves both that QNAME does not exist and that a
+ wildcard that could have matched QNAME also does not exist.
+
+ For example, if "gamma.example." is the closest provable encloser to
+ QNAME, then an NSEC3 RR covering "*.gamma.example." is included in
+ the authority section of the response.
+
+7.2.3. No Data Responses, QTYPE is not DS
+
+ The server MUST include the NSEC3 RR that matches QNAME. This NSEC3
+ RR MUST NOT have the bits corresponding to either the QTYPE or CNAME
+ set in its Type Bit Maps field.
+
+7.2.4. No Data Responses, QTYPE is DS
+
+ If there is an NSEC3 RR that matches QNAME, the server MUST return it
+ in the response. The bits corresponding with DS and CNAME MUST NOT
+ be set in the Type Bit Maps field of this NSEC3 RR.
+
+ If no NSEC3 RR matches QNAME, the server MUST return a closest
+ provable encloser proof for QNAME. The NSEC3 RR that covers the
+ "next closer" name MUST have the Opt-Out bit set (note that this is
+ true by definition -- if the Opt-Out bit is not set, something has
+ gone wrong).
+
+ If a server is authoritative for both sides of a zone cut at QNAME,
+ the server MUST return the proof from the parent side of the zone
+ cut.
+
+7.2.5. Wildcard No Data Responses
+
+ If there is a wildcard match for QNAME, but QTYPE is not present at
+ that name, the response MUST include a closest encloser proof for
+ QNAME and MUST include the NSEC3 RR that matches the wildcard. This
+ combination proves both that QNAME itself does not exist and that a
+ wildcard that matches QNAME does exist. Note that the closest
+ encloser to QNAME MUST be the immediate ancestor of the wildcard RR
+ (if this is not the case, then something has gone wrong).
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 19]
+
+RFC 5155 NSEC3 March 2008
+
+
+7.2.6. Wildcard Answer Responses
+
+ If there is a wildcard match for QNAME and QTYPE, then, in addition
+ to the expanded wildcard RRSet returned in the answer section of the
+ response, proof that the wildcard match was valid must be returned.
+
+ This proof is accomplished by proving that both QNAME does not exist
+ and that the closest encloser of the QNAME and the immediate ancestor
+ of the wildcard are the same (i.e., the correct wildcard matched).
+
+ To this end, the NSEC3 RR that covers the "next closer" name of the
+ immediate ancestor of the wildcard MUST be returned. It is not
+ necessary to return an NSEC3 RR that matches the closest encloser, as
+ the existence of this closest encloser is proven by the presence of
+ the expanded wildcard in the response.
+
+7.2.7. Referrals to Unsigned Subzones
+
+ If there is an NSEC3 RR that matches the delegation name, then that
+ NSEC3 RR MUST be included in the response. The DS bit in the type
+ bit maps of the NSEC3 RR MUST NOT be set.
+
+ If the zone is Opt-Out, then there may not be an NSEC3 RR
+ corresponding to the delegation. In this case, the closest provable
+ encloser proof MUST be included in the response. The included NSEC3
+ RR that covers the "next closer" name for the delegation MUST have
+ the Opt-Out flag set to one. (Note that this will be the case unless
+ something has gone wrong).
+
+7.2.8. Responding to Queries for NSEC3 Owner Names
+
+ The owner names of NSEC3 RRs are not represented in the NSEC3 RR
+ chain like other owner names. As a result, each NSEC3 owner name is
+ covered by another NSEC3 RR, effectively negating the existence of
+ the NSEC3 RR. This is a paradox, since the existence of an NSEC3 RR
+ can be proven by its RRSIG RRSet.
+
+ If the following conditions are all true:
+
+ o the QNAME equals the owner name of an existing NSEC3 RR, and
+
+ o no RR types exist at the QNAME, nor at any descendant of QNAME,
+
+ then the response MUST be constructed as a Name Error response
+ (Section 7.2.2). Or, in other words, the authoritative name server
+ will act as if the owner name of the NSEC3 RR did not exist.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 20]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Note that NSEC3 RRs are returned as a result of an AXFR or IXFR
+ query.
+
+7.2.9. Server Response to a Run-Time Collision
+
+ If the hash of a non-existing QNAME collides with the owner name of
+ an existing NSEC3 RR, then the server will be unable to return a
+ response that proves that QNAME does not exist. In this case, the
+ server MUST return a response with an RCODE of 2 (server failure).
+
+ Note that with the hash algorithm specified in this document, SHA-1,
+ such collisions are highly unlikely.
+
+7.3. Secondary Servers
+
+ Secondary servers (and perhaps other entities) need to reliably
+ determine which NSEC3 parameters (i.e., hash, salt, and iterations)
+ are present at every hashed owner name, in order to be able to choose
+ an appropriate set of NSEC3 RRs for negative responses. This is
+ indicated by an NSEC3PARAM RR present at the zone apex.
+
+ If there are multiple NSEC3PARAM RRs present, there are multiple
+ valid NSEC3 chains present. The server must choose one of them, but
+ may use any criteria to do so.
+
+7.4. Zones Using Unknown Hash Algorithms
+
+ Zones that are signed according to this specification, but are using
+ an unrecognized NSEC3 hash algorithm value, cannot be effectively
+ served. Such zones SHOULD be rejected when loading. Servers SHOULD
+ respond with RCODE=2 (server failure) responses when handling queries
+ that would fall under such zones.
+
+7.5. Dynamic Update
+
+ A zone signed using NSEC3 may accept dynamic updates [RFC2136].
+ However, NSEC3 introduces some special considerations for dynamic
+ updates.
+
+ Adding and removing names in a zone MUST account for the creation or
+ removal of empty non-terminals.
+
+ o When removing a name with a corresponding NSEC3 RR, any NSEC3 RRs
+ corresponding to empty non-terminals created by that name MUST be
+ removed. Note that more than one name may be asserting the
+ existence of a particular empty non-terminal.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 21]
+
+RFC 5155 NSEC3 March 2008
+
+
+ o When adding a name that requires adding an NSEC3 RR, NSEC3 RRs
+ MUST also be added for any empty non-terminals that are created.
+ That is, if there is not an existing NSEC3 RR matching an empty
+ non-terminal, it must be created and added.
+
+ The presence of Opt-Out in a zone means that some additions or
+ delegations of names will not require changes to the NSEC3 RRs in a
+ zone.
+
+ o When removing a delegation RRSet, if that delegation does not have
+ a matching NSEC3 RR, then it was opted out. In this case, nothing
+ further needs to be done.
+
+ o When adding a delegation RRSet, if the "next closer" name of the
+ delegation is covered by an existing Opt-Out NSEC3 RR, then the
+ delegation MAY be added without modifying the NSEC3 RRs in the
+ zone.
+
+ The presence of Opt-Out in a zone means that when adding or removing
+ NSEC3 RRs, the value of the Opt-Out flag that should be set in new or
+ modified NSEC3 RRs is ambiguous. Servers SHOULD follow this set of
+ basic rules to resolve the ambiguity.
+
+ The central concept to these rules is that the state of the Opt-Out
+ flag of the covering NSEC3 RR is preserved.
+
+ o When removing an NSEC3 RR, the value of the Opt-Out flag for the
+ previous NSEC3 RR (the one whose next hashed owner name is
+ modified) should not be changed.
+
+ o When adding an NSEC3 RR, the value of the Opt-Out flag is set to
+ the value of the Opt-Out flag of the NSEC3 RR that previously
+ covered the owner name of the NSEC3 RR. That is, the now previous
+ NSEC3 RR.
+
+ If the zone in question is consistent with its use of the Opt-Out
+ flag (that is, all NSEC3 RRs in the zone have the same value for the
+ flag) then these rules will retain that consistency. If the zone is
+ not consistent in the use of the flag (i.e., a partially Opt-Out
+ zone), then these rules will not retain the same pattern of use of
+ the Opt-Out flag.
+
+ For zones that partially use the Opt-Out flag, if there is a logical
+ pattern for that use, the pattern could be maintained by using a
+ local policy on the server.
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 22]
+
+RFC 5155 NSEC3 March 2008
+
+
+8. Validator Considerations
+
+8.1. Responses with Unknown Hash Types
+
+ A validator MUST ignore NSEC3 RRs with unknown hash types. The
+ practical result of this is that responses containing only such NSEC3
+ RRs will generally be considered bogus.
+
+8.2. Verifying NSEC3 RRs
+
+ A validator MUST ignore NSEC3 RRs with a Flag fields value other than
+ zero or one.
+
+ A validator MAY treat a response as bogus if the response contains
+ NSEC3 RRs that contain different values for hash algorithm,
+ iterations, or salt from each other for that zone.
+
+8.3. Closest Encloser Proof
+
+ In order to verify a closest encloser proof, the validator MUST find
+ the longest name, X, such that
+
+ o X is an ancestor of QNAME that is matched by an NSEC3 RR present
+ in the response. This is a candidate for the closest encloser,
+ and
+
+ o The name one label longer than X (but still an ancestor of -- or
+ equal to -- QNAME) is covered by an NSEC3 RR present in the
+ response.
+
+ One possible algorithm for verifying this proof is as follows:
+
+ 1. Set SNAME=QNAME. Clear the flag.
+
+ 2. Check whether SNAME exists:
+
+ * If there is no NSEC3 RR in the response that matches SNAME
+ (i.e., an NSEC3 RR whose owner name is the same as the hash of
+ SNAME, prepended as a single label to the zone name), clear
+ the flag.
+
+ * If there is an NSEC3 RR in the response that covers SNAME, set
+ the flag.
+
+ * If there is a matching NSEC3 RR in the response and the flag
+ was set, then the proof is complete, and SNAME is the closest
+ encloser.
+
+
+
+
+Laurie, et al. Standards Track [Page 23]
+
+RFC 5155 NSEC3 March 2008
+
+
+ * If there is a matching NSEC3 RR in the response, but the flag
+ is not set, then the response is bogus.
+
+ 3. Truncate SNAME by one label from the left, go to step 2.
+
+ Once the closest encloser has been discovered, the validator MUST
+ check that the NSEC3 RR that has the closest encloser as the original
+ owner name is from the proper zone. The DNAME type bit must not be
+ set and the NS type bit may only be set if the SOA type bit is set.
+ If this is not the case, it would be an indication that an attacker
+ is using them to falsely deny the existence of RRs for which the
+ server is not authoritative.
+
+ In the following descriptions, the phrase "a closest (provable)
+ encloser proof for X" means that the algorithm above (or an
+ equivalent algorithm) proves that X does not exist by proving that an
+ ancestor of X is its closest encloser.
+
+8.4. Validating Name Error Responses
+
+ A validator MUST verify that there is a closest encloser proof for
+ QNAME present in the response and that there is an NSEC3 RR that
+ covers the wildcard at the closest encloser (i.e., the name formed by
+ prepending the asterisk label to the closest encloser).
+
+8.5. Validating No Data Responses, QTYPE is not DS
+
+ The validator MUST verify that an NSEC3 RR that matches QNAME is
+ present and that both the QTYPE and the CNAME type are not set in its
+ Type Bit Maps field.
+
+ Note that this test also covers the case where the NSEC3 RR exists
+ because it corresponds to an empty non-terminal, in which case the
+ NSEC3 RR will have an empty Type Bit Maps field.
+
+8.6. Validating No Data Responses, QTYPE is DS
+
+ If there is an NSEC3 RR that matches QNAME present in the response,
+ then that NSEC3 RR MUST NOT have the bits corresponding to DS and
+ CNAME set in its Type Bit Maps field.
+
+ If there is no such NSEC3 RR, then the validator MUST verify that a
+ closest provable encloser proof for QNAME is present in the response,
+ and that the NSEC3 RR that covers the "next closer" name has the Opt-
+ Out bit set.
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 24]
+
+RFC 5155 NSEC3 March 2008
+
+
+8.7. Validating Wildcard No Data Responses
+
+ The validator MUST verify a closest encloser proof for QNAME and MUST
+ find an NSEC3 RR present in the response that matches the wildcard
+ name generated by prepending the asterisk label to the closest
+ encloser. Furthermore, the bits corresponding to both QTYPE and
+ CNAME MUST NOT be set in the wildcard matching NSEC3 RR.
+
+8.8. Validating Wildcard Answer Responses
+
+ The verified wildcard answer RRSet in the response provides the
+ validator with a (candidate) closest encloser for QNAME. This
+ closest encloser is the immediate ancestor to the generating
+ wildcard.
+
+ Validators MUST verify that there is an NSEC3 RR that covers the
+ "next closer" name to QNAME present in the response. This proves
+ that QNAME itself did not exist and that the correct wildcard was
+ used to generate the response.
+
+8.9. Validating Referrals to Unsigned Subzones
+
+ The delegation name in a referral is the owner name of the NS RRSet
+ present in the authority section of the referral response.
+
+ If there is an NSEC3 RR present in the response that matches the
+ delegation name, then the validator MUST ensure that the NS bit is
+ set and that the DS bit is not set in the Type Bit Maps field of the
+ NSEC3 RR. The validator MUST also ensure that the NSEC3 RR is from
+ the correct (i.e., parent) zone. This is done by ensuring that the
+ SOA bit is not set in the Type Bit Maps field of this NSEC3 RR.
+
+ Note that the presence of an NS bit implies the absence of a DNAME
+ bit, so there is no need to check for the DNAME bit in the Type Bit
+ Maps field of the NSEC3 RR.
+
+ If there is no NSEC3 RR present that matches the delegation name,
+ then the validator MUST verify a closest provable encloser proof for
+ the delegation name. The validator MUST verify that the Opt-Out bit
+ is set in the NSEC3 RR that covers the "next closer" name to the
+ delegation name.
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 25]
+
+RFC 5155 NSEC3 March 2008
+
+
+9. Resolver Considerations
+
+9.1. NSEC3 Resource Record Caching
+
+ Caching resolvers MUST be able to retrieve the appropriate NSEC3 RRs
+ when returning responses that contain them. In DNSSEC [RFC4035], in
+ many cases it is possible to find the correct NSEC RR to return in a
+ response by name (e.g., when returning a referral, the NSEC RR will
+ always have the same owner name as the delegation). With this
+ specification, that will not be true, nor will a cache be able to
+ calculate the name(s) of the appropriate NSEC3 RR(s).
+ Implementations may need to use new methods for caching and
+ retrieving NSEC3 RRs.
+
+9.2. Use of the AD Bit
+
+ The AD bit, as defined by [RFC4035], MUST NOT be set when returning a
+ response containing a closest (provable) encloser proof in which the
+ NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.
+
+ This rule is based on what this closest encloser proof actually
+ proves: names that would be covered by the Opt-Out NSEC3 RR may or
+ may not exist as insecure delegations. As such, not all the data in
+ responses containing such closest encloser proofs will have been
+ cryptographically verified, so the AD bit cannot be set.
+
+10. Special Considerations
+
+10.1. Domain Name Length Restrictions
+
+ Zones signed using this specification have additional domain name
+ length restrictions imposed upon them. In particular, zones with
+ names that, when converted into hashed owner names exceed the 255
+ octet length limit imposed by [RFC1035], cannot use this
+ specification.
+
+ The actual maximum length of a domain name in a particular zone
+ depends on both the length of the zone name (versus the whole domain
+ name) and the particular hash function used.
+
+ As an example, SHA-1 produces a hash of 160 bits. The base-32
+ encoding of 160 bits results in 32 characters. The 32 characters are
+ prepended to the name of the zone as a single label, which includes a
+ length field of a single octet. The maximum length of the zone name,
+ when using SHA-1, is 222 octets (255 - 33).
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 26]
+
+RFC 5155 NSEC3 March 2008
+
+
+10.2. DNAME at the Zone Apex
+
+ The DNAME specification in Section 3 of [RFC2672] has a 'no-
+ descendants' limitation. If a DNAME RR is present at node N, there
+ MUST be no data at any descendant of N.
+
+ If N is the apex of the zone, there will be NSEC3 and RRSIG types
+ present at descendants of N. This specification updates the DNAME
+ specification to allow NSEC3 and RRSIG types at descendants of the
+ apex regardless of the existence of DNAME at the apex.
+
+10.3. Iterations
+
+ Setting the number of iterations used allows the zone owner to choose
+ the cost of computing a hash, and therefore the cost of generating a
+ dictionary. Note that this is distinct from the effect of salt,
+ which prevents the use of a single precomputed dictionary for all
+ time.
+
+ Obviously the number of iterations also affects the zone owner's cost
+ of signing and serving the zone as well as the validator's cost of
+ verifying responses from the zone. We therefore impose an upper
+ limit on the number of iterations. We base this on the number of
+ iterations that approximates the cost of verifying an RRSet.
+
+ The limits, therefore, are based on the size of the smallest zone
+ signing key, rounded up to the nearest table value (or rounded down
+ if the key is larger than the largest table value).
+
+ A zone owner MUST NOT use a value higher than shown in the table
+ below for iterations for the given key size. A resolver MAY treat a
+ response with a higher value as insecure, after the validator has
+ verified that the signature over the NSEC3 RR is correct.
+
+ +----------+------------+
+ | Key Size | Iterations |
+ +----------+------------+
+ | 1024 | 150 |
+ | 2048 | 500 |
+ | 4096 | 2,500 |
+ +----------+------------+
+
+ This table is based on an approximation of the ratio between the cost
+ of an SHA-1 calculation and the cost of an RSA verification for keys
+ of size 1024 bits (150 to 1), 2048 bits (500 to 1), and 4096 bits
+ (2500 to 1).
+
+
+
+
+
+Laurie, et al. Standards Track [Page 27]
+
+RFC 5155 NSEC3 March 2008
+
+
+ The ratio between SHA-1 calculation and DSA verification is higher
+ (1500 to 1 for keys of size 1024). A higher iteration count degrades
+ performance, while DSA verification is already more expensive than
+ RSA for the same key size. Therefore the values in the table MUST be
+ used independent of the key algorithm.
+
+10.4. Transitioning a Signed Zone from NSEC to NSEC3
+
+ When transitioning an already signed and trusted zone to this
+ specification, care must be taken to prevent client validation
+ failures during the process.
+
+ The basic procedure is as follows:
+
+ 1. Transition all DNSKEYs to DNSKEYs using the algorithm aliases
+ described in Section 2. The actual method for safely and
+ securely changing the DNSKEY RRSet of the zone is outside the
+ scope of this specification. However, the end result MUST be
+ that all DS RRs in the parent use the specified algorithm
+ aliases.
+
+ After this transition is complete, all NSEC3-unaware clients will
+ treat the zone as insecure. At this point, the authoritative
+ server still returns negative and wildcard responses that contain
+ NSEC RRs.
+
+ 2. Add signed NSEC3 RRs to the zone, either incrementally or all at
+ once. If adding incrementally, then the last RRSet added MUST be
+ the NSEC3PARAM RRSet.
+
+ 3. Upon the addition of the NSEC3PARAM RRSet, the server switches to
+ serving negative and wildcard responses with NSEC3 RRs according
+ to this specification.
+
+ 4. Remove the NSEC RRs either incrementally or all at once.
+
+10.5. Transitioning a Signed Zone from NSEC3 to NSEC
+
+ To safely transition back to a DNSSEC [RFC4035] signed zone, simply
+ reverse the procedure above:
+
+ 1. Add NSEC RRs incrementally or all at once.
+
+ 2. Remove the NSEC3PARAM RRSet. This will signal the server to use
+ the NSEC RRs for negative and wildcard responses.
+
+ 3. Remove the NSEC3 RRs either incrementally or all at once.
+
+
+
+
+Laurie, et al. Standards Track [Page 28]
+
+RFC 5155 NSEC3 March 2008
+
+
+ 4. Transition all of the DNSKEYs to DNSSEC algorithm identifiers.
+ After this transition is complete, all NSEC3-unaware clients will
+ treat the zone as secure.
+
+11. IANA Considerations
+
+ Although the NSEC3 and NSEC3PARAM RR formats include a hash algorithm
+ parameter, this document does not define a particular mechanism for
+ safely transitioning from one NSEC3 hash algorithm to another. When
+ specifying a new hash algorithm for use with NSEC3, a transition
+ mechanism MUST also be defined.
+
+ This document updates the IANA registry "DOMAIN NAME SYSTEM
+ PARAMETERS" (http://www.iana.org/assignments/dns-parameters) in sub-
+ registry "TYPES", by defining two new types. Section 3 defines the
+ NSEC3 RR type 50. Section 4 defines the NSEC3PARAM RR type 51.
+
+ This document updates the IANA registry "DNS SECURITY ALGORITHM
+ NUMBERS -- per [RFC4035]"
+ (http://www.iana.org/assignments/dns-sec-alg-numbers). Section 2
+ defines the aliases DSA-NSEC3-SHA1 (6) and RSASHA1-NSEC3-SHA1 (7) for
+ respectively existing registrations DSA and RSASHA1 in combination
+ with NSEC3 hash algorithm SHA1.
+
+ Since these algorithm numbers are aliases for existing DNSKEY
+ algorithm numbers, the flags that exist for the original algorithm
+ are valid for the alias algorithm.
+
+ This document creates a new IANA registry for NSEC3 flags. This
+ registry is named "DNSSEC NSEC3 Flags". The initial contents of this
+ registry are:
+
+ 0 1 2 3 4 5 6 7
+ +---+---+---+---+---+---+---+---+
+ | | | | | | | |Opt|
+ | | | | | | | |Out|
+ +---+---+---+---+---+---+---+---+
+
+ bit 7 is the Opt-Out flag.
+
+ bits 0 - 6 are available for assignment.
+
+ Assignment of additional NSEC3 Flags in this registry requires IETF
+ Standards Action [RFC2434].
+
+ This document creates a new IANA registry for NSEC3PARAM flags. This
+ registry is named "DNSSEC NSEC3PARAM Flags". The initial contents of
+ this registry are:
+
+
+
+Laurie, et al. Standards Track [Page 29]
+
+RFC 5155 NSEC3 March 2008
+
+
+ 0 1 2 3 4 5 6 7
+ +---+---+---+---+---+---+---+---+
+ | | | | | | | | 0 |
+ +---+---+---+---+---+---+---+---+
+
+ bit 7 is reserved and must be 0.
+
+ bits 0 - 6 are available for assignment.
+
+ Assignment of additional NSEC3PARAM Flags in this registry requires
+ IETF Standards Action [RFC2434].
+
+ Finally, this document creates a new IANA registry for NSEC3 hash
+ algorithms. This registry is named "DNSSEC NSEC3 Hash Algorithms".
+ The initial contents of this registry are:
+
+ 0 is Reserved.
+
+ 1 is SHA-1.
+
+ 2-255 Available for assignment.
+
+ Assignment of additional NSEC3 hash algorithms in this registry
+ requires IETF Standards Action [RFC2434].
+
+12. Security Considerations
+
+12.1. Hashing Considerations
+
+12.1.1. Dictionary Attacks
+
+ The NSEC3 RRs are still susceptible to dictionary attacks (i.e., the
+ attacker retrieves all the NSEC3 RRs, then calculates the hashes of
+ all likely domain names, comparing against the hashes found in the
+ NSEC3 RRs, and thus enumerating the zone). These are substantially
+ more expensive than enumerating the original NSEC RRs would have
+ been, and in any case, such an attack could also be used directly
+ against the name server itself by performing queries for all likely
+ names, though this would obviously be more detectable. The expense
+ of this off-line attack can be chosen by setting the number of
+ iterations in the NSEC3 RR.
+
+ Zones are also susceptible to a pre-calculated dictionary attack --
+ that is, a list of hashes for all likely names is computed once, then
+ NSEC3 RR is scanned periodically and compared against the precomputed
+ hashes. This attack is prevented by changing the salt on a regular
+ basis.
+
+
+
+
+Laurie, et al. Standards Track [Page 30]
+
+RFC 5155 NSEC3 March 2008
+
+
+ The salt SHOULD be at least 64 bits long and unpredictable, so that
+ an attacker cannot anticipate the value of the salt and compute the
+ next set of dictionaries before the zone is published.
+
+12.1.2. Collisions
+
+ Hash collisions between QNAME and the owner name of an NSEC3 RR may
+ occur. When they do, it will be impossible to prove the non-
+ existence of the colliding QNAME. However, with SHA-1, this is
+ highly unlikely (on the order of 1 in 2^160). Note that DNSSEC
+ already relies on the presumption that a cryptographic hash function
+ is second pre-image resistant, since these hash functions are used
+ for generating and validating signatures and DS RRs.
+
+12.1.3. Transitioning to a New Hash Algorithm
+
+ Although the NSEC3 and NSEC3PARAM RR formats include a hash algorithm
+ parameter, this document does not define a particular mechanism for
+ safely transitioning from one NSEC3 hash algorithm to another. When
+ specifying a new hash algorithm for use with NSEC3, a transition
+ mechanism MUST also be defined. It is possible that the only
+ practical and palatable transition mechanisms may require an
+ intermediate transition to an insecure state, or to a state that uses
+ NSEC records instead of NSEC3.
+
+12.1.4. Using High Iteration Values
+
+ Since validators should treat responses containing NSEC3 RRs with
+ high iteration values as insecure, presence of just one signed NSEC3
+ RR with a high iteration value in a zone provides attackers with a
+ possible downgrade attack.
+
+ The attack is simply to remove any existing NSEC3 RRs from a
+ response, and replace or add a single (or multiple) NSEC3 RR that
+ uses a high iterations value to the response. Validators will then
+ be forced to treat the response as insecure. This attack would be
+ effective only when all of following conditions are met:
+
+ o There is at least one signed NSEC3 RR that uses a high iterations
+ value present in the zone.
+
+ o The attacker has access to one or more of these NSEC3 RRs. This
+ is trivially true when the NSEC3 RRs with high iteration values
+ are being returned in typical responses, but may also be true if
+ the attacker can access the zone via AXFR or IXFR queries, or any
+ other methodology.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 31]
+
+RFC 5155 NSEC3 March 2008
+
+
+ Using a high number of iterations also introduces an additional
+ denial-of-service opportunity against servers, since servers must
+ calculate several hashes per negative or wildcard response.
+
+12.2. Opt-Out Considerations
+
+ The Opt-Out Flag (O) allows for unsigned names, in the form of
+ delegations to unsigned zones, to exist within an otherwise signed
+ zone. All unsigned names are, by definition, insecure, and their
+ validity or existence cannot be cryptographically proven.
+
+ In general:
+
+ o Resource records with unsigned names (whether existing or not)
+ suffer from the same vulnerabilities as RRs in an unsigned zone.
+ These vulnerabilities are described in more detail in [RFC3833]
+ (note in particular Section 2.3, "Name Chaining" and Section 2.6,
+ "Authenticated Denial of Domain Names").
+
+ o Resource records with signed names have the same security whether
+ or not Opt-Out is used.
+
+ Note that with or without Opt-Out, an insecure delegation may be
+ undetectably altered by an attacker. Because of this, the primary
+ difference in security when using Opt-Out is the loss of the ability
+ to prove the existence or nonexistence of an insecure delegation
+ within the span of an Opt-Out NSEC3 RR.
+
+ In particular, this means that a malicious entity may be able to
+ insert or delete RRs with unsigned names. These RRs are normally NS
+ RRs, but this also includes signed wildcard expansions (while the
+ wildcard RR itself is signed, its expanded name is an unsigned name).
+
+ Note that being able to add a delegation is functionally equivalent
+ to being able to add any RR type: an attacker merely has to forge a
+ delegation to name server under his/her control and place whatever
+ RRs needed at the subzone apex.
+
+ While in particular cases, this issue may not present a significant
+ security problem, in general it should not be lightly dismissed.
+ Therefore, it is strongly RECOMMENDED that Opt-Out be used sparingly.
+ In particular, zone signing tools SHOULD NOT default to using Opt-
+ Out, and MAY choose to not support Opt-Out at all.
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 32]
+
+RFC 5155 NSEC3 March 2008
+
+
+12.3. Other Considerations
+
+ Walking the NSEC3 RRs will reveal the total number of RRs in the zone
+ (plus empty non-terminals), and also what types there are. This
+ could be mitigated by adding dummy entries, but certainly an upper
+ limit can always be found.
+
+13. References
+
+13.1. Normative References
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and
+ facilities", STD 13, RFC 1034, November 1987.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS
+ UPDATE)", RFC 2136, April 1997.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, July 1997.
+
+ [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
+ NCACHE)", RFC 2308, March 1998.
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for
+ Writing an IANA Considerations Section in RFCs",
+ BCP 26, RFC 2434, October 1998.
+
+ [RFC2929] Eastlake, D., Brunner-Williams, E., and B. Manning,
+ "Domain Name System (DNS) IANA Considerations",
+ BCP 42, RFC 2929, September 2000.
+
+ [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
+ Record (RR) Types", RFC 3597, September 2003.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D.,
+ and S. Rose, "DNS Security Introduction and
+ Requirements", RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D.,
+ and S. Rose, "Resource Records for the DNS Security
+ Extensions", RFC 4034, March 2005.
+
+
+
+Laurie, et al. Standards Track [Page 33]
+
+RFC 5155 NSEC3 March 2008
+
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D.,
+ and S. Rose, "Protocol Modifications for the DNS
+ Security Extensions", RFC 4035, March 2005.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, October 2006.
+
+13.2. Informative References
+
+ [DNSEXT-NO] Josefsson, S., "Authenticating Denial of Existence
+ in DNS with Minimum Disclosure", Work in Progress,
+ July 2000.
+
+ [DNSEXT-NSEC2v2] Laurie, B., "DNSSEC NSEC2 Owner and RDATA Format",
+ Work in Progress, December 2004.
+
+ [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
+ RFC 2672, August 1999.
+
+ [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
+ Specification Version 2.0", RFC 2898,
+ September 2000.
+
+ [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the
+ Domain Name System (DNS)", RFC 3833, August 2004.
+
+ [RFC4592] Lewis, E., "The Role of Wildcards in the Domain
+ Name System", RFC 4592, July 2006.
+
+ [RFC4956] Arends, R., Kosters, M., and D. Blacka, "DNS
+ Security (DNSSEC) Opt-In", RFC 4956, July 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 34]
+
+RFC 5155 NSEC3 March 2008
+
+
+Appendix A. Example Zone
+
+ This is a zone showing its NSEC3 RRs. They can also be used as test
+ vectors for the hash algorithm.
+
+ The overall TTL and class are specified in the SOA RR, and are
+ subsequently omitted for clarity.
+
+ The zone is preceded by a list that contains the hashes of the
+ original ownernames.
+
+ ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
+ ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl
+ ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi
+ ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
+ ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r
+ ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
+ ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
+ ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
+ ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc
+ ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
+ ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv
+ ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example)
+ ; = kohar7mbb8dc2ce8a9qvl8hon4k53uhi
+ example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+ RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+ NS ns1.example.
+ NS ns2.example.
+ RRSIG NS 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ
+ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv
+ CnMXjtz6SyObxA== )
+ MX 1 xx.example.
+ RRSIG MX 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ GgQ1A9xs47k42VPvpL/a1BWUz/6XsnHkjotw
+ 9So8MQtZtl2wJBsnOQsaoHrRCrRbyriEl/GZ
+ n9Mto/Kx+wBo+w== )
+ DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
+ sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
+ TY4hHn9npWFRw5BYubE= )
+
+
+
+
+Laurie, et al. Standards Track [Page 35]
+
+RFC 5155 NSEC3 March 2008
+
+
+ DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
+ j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
+ AbsUdblMFin8CVF3n4s= )
+ RRSIG DNSKEY 7 1 3600 20150420235959 (
+ 20051021000000 12708 example.
+ AuU4juU9RaxescSmStrQks3Gh9FblGBlVU31
+ uzMZ/U/FpsUb8aC6QZS+sTsJXnLnz7flGOsm
+ MGQZf3bH+QsCtg== )
+ NSEC3PARAM 1 0 12 aabbccdd
+ RRSIG NSEC3PARAM 7 1 3600 20150420235959 (
+ 20051021000000 40430 example.
+ C1Gl8tPZNtnjlrYWDeeUV/sGLCyy/IHie2re
+ rN05XSA3Pq0U3+4VvGWYWdUMfflOdxqnXHwJ
+ TLQsjlkynhG6Cg== )
+ 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+ 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+ SOA NSEC3PARAM RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
+ IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
+ BOCXJZMnpuwhpA== )
+ 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
+ RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ h6c++bzhRuWWt2bykN6mjaTNBcXNq5UuL5Ed
+ K+iDP4eY8I0kSiKaCjg3tC1SQkeloMeub2GW
+ k8p6xHMPZumXlw== )
+ NSEC3 1 1 12 aabbccdd (
+ 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN
+ 4TFoNxZuP03gAXEI634YwOc4YBNITrj413iq
+ NI6mRk/r1dOSUw== )
+ 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
+ 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ KL1V2oFYghNV0Hm7Tf2vpJjM6l+0g1JCcVYG
+ VfI0lKrhPmTsOA96cLEACgo1x8I7kApJX+ob
+ TuktZ+sdsZPY1w== )
+ 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+ b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 36]
+
+RFC 5155 NSEC3 March 2008
+
+
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
+ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
+ XtAIR3chwgW+SA== )
+ a.example. NS ns1.a.example.
+ NS ns2.a.example.
+ DS 58470 5 1 (
+ 3079F1593EBAD6DC121E202A8B766A6A4837206C )
+ RRSIG DS 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ XacFcQVHLVzdoc45EJhN616zQ4mEXtE8FzUh
+ M2KWjfy1VfRKD9r1MeVGwwoukOKgJxBPFsWo
+ o722vZ4UZ2dIdA== )
+ ns1.a.example. A 192.0.2.5
+ ns2.a.example. A 192.0.2.6
+ ai.example. A 192.0.2.9
+ RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ hVe+wKYMlObTRPhX0NL67GxeZfdxqr/QeR6F
+ tfdAj5+FgYxyzPEjIzvKWy00hWIl6wD3Vws+
+ rznEn8sQ64UdqA== )
+ HINFO "KLH-10" "ITS"
+ RRSIG HINFO 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Yi42uOq43eyO6qXHNvwwfFnIustWgV5urFcx
+ enkLvs6pKRh00VBjODmf3Z4nMO7IOl6nHSQ1
+ v0wLHpEZG7Xj2w== )
+ AAAA 2001:db8:0:0:0:0:f00:baa9
+ RRSIG AAAA 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ LcdxKaCB5bGZwPDg+3JJ4O02zoMBrjxqlf6W
+ uaHQZZfTUpb9Nf2nxFGe2XRPfR5tpJT6GdRG
+ cHueLuXkMjBArQ== )
+ b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+ gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh
+ 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3
+ pOv0TSTyiTxIZg== )
+ c.example. NS ns1.c.example.
+ NS ns2.c.example.
+ ns1.c.example. A 192.0.2.7
+ ns2.c.example. A 192.0.2.8
+ gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
+ RRSIG )
+
+
+
+Laurie, et al. Standards Track [Page 37]
+
+RFC 5155 NSEC3 March 2008
+
+
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ IVnezTJ9iqblFF97vPSmfXZ5Zozngx3KX3by
+ LTZC4QBH2dFWhf6scrGFZB980AfCxoD9qbbK
+ Dy+rdGIeRSVNyw== )
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+ k8udemvp1j2f7eg6jebps17vp3n8i58h )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj7
+ 2F3kQ490fEdp7k1BUIfbcZtPbX3YCpE+sIt0
+ MpzVSKfTwx4uYA== )
+ k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+ kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ FtXGbvF0+wf8iWkyo73enAuVx03klN+pILBK
+ S6qCcftVtfH4yVzsEZquJ27NHR7ruxJWDNMt
+ Otx7w9WfcIg62A== )
+ kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
+ q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ VrDXs2uVW21N08SyQIz88zml+y4ZCInTwgDr
+ 6zz43yAg+LFERjOrj3Ojct51ac7Dp4eZbf9F
+ QJazmASFKGxGXg== )
+ ns1.example. A 192.0.2.1
+ RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ bu6kx73n6XEunoVGuRfAgY7EF/AJqHy7hj0j
+ kiqJjB0dOrx3wuz9SaBeGfqWIdn/uta3SavN
+ 4FRvZR9SCFHF5Q== )
+ ns2.example. A 192.0.2.2
+ RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ ktQ3TqE0CfRfki0Rb/Ip5BM0VnxelbuejCC4
+ zpLbFKA/7eD7UNAwxMgxJPtbdST+syjYSJaj
+ 4IHfeX6n8vfoGA== )
+ q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3
+ ZxlMKimoPAyqletMlEWwLfFia7sdpSzn+ZlN
+ NlkxWcLsIlMmUg== )
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 38]
+
+RFC 5155 NSEC3 March 2008
+
+
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+ t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ aupviViruXs4bDg9rCbezzBMf9h1ZlDvbW/C
+ ZFKulIGXXLj8B/fsDJarXVDA9bnUoRhEbKp+
+ HF1FWKW7RIJdtQ== )
+ t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
+ 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
+ RRSIG )
+ RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ RAjGECB8P7O+F4Pa4Dx3tC0M+Z3KmlLKImca
+ fb9XWwx+NWUNz7NBEDBQHivIyKPVDkChcePI
+ X1xPl1ATNa+8Dw== )
+ *.w.example. MX 1 ai.example.
+ RRSIG MX 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ CikebjQwGQPwijVcxgcZcSJKtfynugtlBiKb
+ 9FcBTrmOoyQ4InoWVudhCWsh/URX3lc4WRUM
+ ivEBP6+4KS3ldA== )
+ x.w.example. MX 1 xx.example.
+ RRSIG MX 7 3 3600 20150420235959 20051021000000 (
+ 40430 example.
+ IrK3tq/tHFIBF0scHiE/1IwMAvckS/55hAVv
+ QyxTFbkAdDloP3NbZzu+yoSsr3b3OX6qbBpY
+ 7WCtwwekLKRAwQ== )
+ x.y.w.example. MX 1 xx.example.
+ RRSIG MX 7 4 3600 20150420235959 20051021000000 (
+ 40430 example.
+ MqSt5HqJIN8+SLlzTOImrh5h9Xa6gDvAW/Gn
+ nbdPc6Z7nXvCpLPJj/5lCwx3VuzVOjkbvXze
+ 8/8Ccl2Zn2hbug== )
+ xx.example. A 192.0.2.10
+ RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ T35hBWEZ017VC5u2c4OriKyVn/pu+fVK4AlX
+ YOxJ6iQylfV2HQIKjv6b7DzINB3aF/wjJqgX
+ pQvhq+Ac6+ZiFg== )
+ HINFO "KLH-10" "TOPS-20"
+ RRSIG HINFO 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ KimG+rDd+7VA1zRsu0ITNAQUTRlpnsmqWrih
+ FRnU+bRa93v2e5oFNFYCs3Rqgv62K93N7AhW
+ 6Jfqj/8NzWjvKg== )
+ AAAA 2001:db8:0:0:0:0:f00:baaa
+
+
+
+
+
+Laurie, et al. Standards Track [Page 39]
+
+RFC 5155 NSEC3 March 2008
+
+
+ RRSIG AAAA 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ IXBcXORITNwd8h3gNwyxtYFvAupS/CYWufVe
+ uBUX0O25ivBCULjZjpDxFSxfohb/KA7YRdxE
+ NzYfMItpILl/Xw== )
+
+Appendix B. Example Responses
+
+ The examples in this section show response messages using the signed
+ zone example in Appendix A.
+
+B.1. Name Error
+
+ An authoritative name error. The NSEC3 RRs prove that the name does
+ not exist and that there is no wildcard RR that should have been
+ expanded.
+
+;; Header: QR AA DO RCODE=3
+;;
+;; Question
+a.c.x.w.example. IN A
+
+;; Answer
+;; (empty)
+
+;; Authority
+
+example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+
+;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
+;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+ 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+ SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
+ IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
+ BOCXJZMnpuwhpA== )
+
+
+
+
+
+Laurie, et al. Standards Track [Page 40]
+
+RFC 5155 NSEC3 March 2008
+
+
+;; NSEC3 RR that matches the closest encloser (x.w.example)
+;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
+
+b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+ gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh
+ 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3
+ pOv0TSTyiTxIZg== )
+
+;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
+;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
+
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+ b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
+ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
+ XtAIR3chwgW+SA== )
+
+;; Additional
+;; (empty)
+
+ The query returned three NSEC3 RRs that prove that the requested data
+ does not exist and that no wildcard expansion applies. The negative
+ response is authenticated by verifying the NSEC3 RRs. The
+ corresponding RRSIGs indicate that the NSEC3 RRs are signed by an
+ "example" DNSKEY of algorithm 7 and with key tag 40430. The resolver
+ needs the corresponding DNSKEY RR in order to authenticate this
+ answer.
+
+ One of the owner names of the NSEC3 RRs matches the closest encloser.
+ One of the NSEC3 RRs prove that there exists no longer name. One of
+ the NSEC3 RRs prove that there exists no wildcard RRSets that should
+ have been expanded. The closest encloser can be found by applying
+ the algorithm in Section 8.3.
+
+ In the above example, the name 'x.w.example' hashes to
+ 'b4um86eghhds6nea196smvmlo4ors995'. This indicates that this might
+ be the closest encloser. To prove that 'c.x.w.example' and
+ '*.x.w.example' do not exist, these names are hashed to,
+ respectively, '0va5bpr2ou0vk0lbqeeljri88laipsfh' and
+ '92pqneegtaue7pjatc3l3qnk738c6v5m'. The first and last NSEC3 RRs
+ prove that these hashed owner names do not exist.
+
+
+
+
+
+Laurie, et al. Standards Track [Page 41]
+
+RFC 5155 NSEC3 March 2008
+
+
+B.2. No Data Error
+
+ A "no data" response. The NSEC3 RR proves that the name exists and
+ that the requested RR type does not.
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+ns1.example. IN MX
+
+;; Answer
+;; (empty)
+
+;; Authority
+example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the MX type bit is not set.
+
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd (
+ 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN
+ 4TFoNxZuP03gAXEI634YwOc4YBNITrj413iq
+ NI6mRk/r1dOSUw== )
+;; Additional
+;; (empty)
+
+ The query returned an NSEC3 RR that proves that the requested name
+ exists ("ns1.example." hashes to "2t7b4g4vsa5smi47k61mv5bv1a22bojr"),
+ but the requested RR type does not exist (type MX is absent in the
+ type code list of the NSEC3 RR), and was not a CNAME (type CNAME is
+ also absent in the type code list of the NSEC3 RR).
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 42]
+
+RFC 5155 NSEC3 March 2008
+
+
+B.2.1. No Data Error, Empty Non-Terminal
+
+ A "no data" response because of an empty non-terminal. The NSEC3 RR
+ proves that the name exists and that the requested RR type does not.
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ y.w.example. IN A
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+ example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+
+ ;; NSEC3 RR matches the QNAME and shows that the A type bit is not set.
+
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+ k8udemvp1j2f7eg6jebps17vp3n8i58h )
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj7
+ 2F3kQ490fEdp7k1BUIfbcZtPbX3YCpE+sIt0
+ MpzVSKfTwx4uYA== )
+
+ ;; Additional
+ ;; (empty)
+
+ The query returned an NSEC3 RR that proves that the requested name
+ exists ("y.w.example." hashes to "ji6neoaepv8b5o6k4ev33abha8ht9fgc"),
+ but the requested RR type does not exist (Type A is absent in the
+ Type Bit Maps field of the NSEC3 RR). Note that, unlike an empty
+ non-terminal proof using NSECs, this is identical to a No Data Error.
+ This example is solely mentioned to be complete.
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 43]
+
+RFC 5155 NSEC3 March 2008
+
+
+B.3. Referral to an Opt-Out Unsigned Zone
+
+ The NSEC3 RRs prove that nothing for this delegation was signed.
+ There is no proof that the unsigned delegation exists.
+
+ ;; Header: QR DO RCODE=0
+ ;;
+ ;; Question
+ mc.c.example. IN MX
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ c.example. NS ns1.c.example.
+ NS ns2.c.example.
+
+ ;; NSEC3 RR that covers the "next closer" name (c.example)
+ ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
+
+ 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+ b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+ 35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
+ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
+ XtAIR3chwgW+SA== )
+
+ ;; NSEC3 RR that matches the closest encloser (example)
+ ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
+
+ 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+ 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+ SOA NSEC3PARAM RRSIG )
+ 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
+ IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
+ BOCXJZMnpuwhpA== )
+
+ ;; Additional
+ ns1.c.example. A 192.0.2.7
+ ns2.c.example. A 192.0.2.8
+
+ The query returned a referral to the unsigned "c.example." zone. The
+ response contains the closest provable encloser of "c.example" to be
+ "example", since the hash of "c.example"
+
+
+
+
+Laurie, et al. Standards Track [Page 44]
+
+RFC 5155 NSEC3 March 2008
+
+
+ ("4g6p9u5gvfshp30pqecj98b3maqbn1ck") is covered by the first NSEC3 RR
+ and its Opt-Out bit is set.
+
+B.4. Wildcard Expansion
+
+ A query that was answered with a response containing a wildcard
+ expansion. The label count in the RRSIG RRSet in the answer section
+ indicates that a wildcard RRSet was expanded to produce this
+ response, and the NSEC3 RR proves that no "next closer" name exists
+ in the zone.
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ a.z.w.example. IN MX
+
+ ;; Answer
+ a.z.w.example. MX 1 ai.example.
+ a.z.w.example. RRSIG MX 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ CikebjQwGQPwijVcxgcZcSJKtfynugtlBiKb
+ 9FcBTrmOoyQ4InoWVudhCWsh/URX3lc4WRUM
+ ivEBP6+4KS3ldA== )
+
+ ;; Authority
+ example. NS ns1.example.
+ example. NS ns2.example.
+ example. RRSIG NS 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ
+ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv
+ CnMXjtz6SyObxA== )
+
+ ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+ ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+ q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+ q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3
+ ZxlMKimoPAyqletMlEWwLfFia7sdpSzn+ZlN
+ NlkxWcLsIlMmUg== )
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 45]
+
+RFC 5155 NSEC3 March 2008
+
+
+ ;; Additional
+ ai.example. A 192.0.2.9
+ ai.example. RRSIG A 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ hVe+wKYMlObTRPhX0NL67GxeZfdxqr/QeR6F
+ tfdAj5+FgYxyzPEjIzvKWy00hWIl6wD3Vws+
+ rznEn8sQ64UdqA== )
+ ai.example. AAAA 2001:db8:0:0:0:0:f00:baa9
+ ai.example. RRSIG AAAA 7 2 3600 20150420235959 20051021000000 (
+ 40430 example.
+ LcdxKaCB5bGZwPDg+3JJ4O02zoMBrjxqlf6W
+ uaHQZZfTUpb9Nf2nxFGe2XRPfR5tpJT6GdRG
+ cHueLuXkMjBArQ== )
+
+ The query returned an answer that was produced as a result of a
+ wildcard expansion. The answer section contains a wildcard RRSet
+ expanded as it would be in a traditional DNS response. The RRSIG
+ Labels field value of 2 indicates that the answer is the result of a
+ wildcard expansion, as the "a.z.w.example" name contains 4 labels.
+ This also shows that "w.example" exists, so there is no need for an
+ NSEC3 RR that matches the closest encloser.
+
+ The NSEC3 RR proves that no closer match could have been used to
+ answer this query.
+
+B.5. Wildcard No Data Error
+
+ A "no data" response for a name covered by a wildcard. The NSEC3 RRs
+ prove that the matching wildcard name does not have any RRs of the
+ requested type and that no closer match exists in the zone.
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ a.z.w.example. IN AAAA
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+ example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+
+
+
+
+Laurie, et al. Standards Track [Page 46]
+
+RFC 5155 NSEC3 March 2008
+
+
+ ;; NSEC3 RR that matches the closest encloser (w.example)
+ ;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
+
+ k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+ kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+ k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ FtXGbvF0+wf8iWkyo73enAuVx03klN+pILBK
+ S6qCcftVtfH4yVzsEZquJ27NHR7ruxJWDNMt
+ Otx7w9WfcIg62A== )
+
+ ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+ ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+ q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+ q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3
+ ZxlMKimoPAyqletMlEWwLfFia7sdpSzn+ZlN
+ NlkxWcLsIlMmUg== )
+
+ ;; NSEC3 RR that matches a wildcard at the closest encloser.
+ ;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
+
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+ t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+ r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 7 2 3600 (
+ 20150420235959 20051021000000 40430 example.
+ aupviViruXs4bDg9rCbezzBMf9h1ZlDvbW/C
+ ZFKulIGXXLj8B/fsDJarXVDA9bnUoRhEbKp+
+ HF1FWKW7RIJdtQ== )
+
+ ;; Additional
+ ;; (empty)
+
+ The query returned the NSEC3 RRs that prove that the requested data
+ does not exist and no wildcard RR applies.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 47]
+
+RFC 5155 NSEC3 March 2008
+
+
+B.6. DS Child Zone No Data Error
+
+ A "no data" response for a QTYPE=DS query that was mistakenly sent to
+ a name server for the child zone.
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+example. IN DS
+
+;; Answer
+;; (empty)
+
+;; Authority
+example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
+ 3600000 3600 )
+example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
+ 40430 example.
+ Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
+ q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
+ VI2LmKusbZsT0Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the DS type bit is not set.
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+ 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+ SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600
+ 20150420235959 20051021000000 40430 example.
+ OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
+ IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
+ BOCXJZMnpuwhpA== )
+
+;; Additional
+;; (empty)
+
+ The query returned an NSEC3 RR showing that the requested was
+ answered by the server authoritative for the zone "example". The
+ NSEC3 RR indicates the presence of an SOA RR, showing that this NSEC3
+ RR is from the apex of the child, not from the zone cut of the
+ parent. Queries for the "example" DS RRSet should be sent to the
+ parent servers (which are in this case the root servers).
+
+Appendix C. Special Considerations
+
+ The following paragraphs clarify specific behavior and explain
+ special considerations for implementations.
+
+
+
+
+Laurie, et al. Standards Track [Page 48]
+
+RFC 5155 NSEC3 March 2008
+
+
+C.1. Salting
+
+ Augmenting original owner names with salt before hashing increases
+ the cost of a dictionary of pre-generated hash-values. For every bit
+ of salt, the cost of a precomputed dictionary doubles (because there
+ must be an entry for each word combined with each possible salt
+ value). The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+ salt, multiplying the cost by 2^2040. This means that an attacker
+ must, in practice, recompute the dictionary each time the salt is
+ changed.
+
+ Including a salt, regardless of size, does not affect the cost of
+ constructing NSEC3 RRs. It does increase the size of the NSEC3 RR.
+
+ There MUST be at least one complete set of NSEC3 RRs for the zone
+ using the same salt value.
+
+ The salt SHOULD be changed periodically to prevent pre-computation
+ using a single salt. It is RECOMMENDED that the salt be changed for
+ every re-signing.
+
+ Note that this could cause a resolver to see RRs with different salt
+ values for the same zone. This is harmless, since each RR stands
+ alone (that is, it denies the set of owner names whose hashes, using
+ the salt in the NSEC3 RR, fall between the two hashes in the NSEC3
+ RR) -- it is only the server that needs a complete set of NSEC3 RRs
+ with the same salt in order to be able to answer every possible
+ query.
+
+ There is no prohibition with having NSEC3 RRs with different salts
+ within the same zone. However, in order for authoritative servers to
+ be able to consistently find covering NSEC3 RRs, the authoritative
+ server MUST choose a single set of parameters (algorithm, salt, and
+ iterations) to use when selecting NSEC3 RRs.
+
+C.2. Hash Collision
+
+ Hash collisions occur when different messages have the same hash
+ value. The expected number of domain names needed to give a 1 in 2
+ chance of a single collision is about 2^(n/2) for a hash of length n
+ bits (i.e., 2^80 for SHA-1). Though this probability is extremely
+ low, the following paragraphs deal with avoiding collisions and
+ assessing possible damage in the event of an attack using hash
+ collisions.
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 49]
+
+RFC 5155 NSEC3 March 2008
+
+
+C.2.1. Avoiding Hash Collisions During Generation
+
+ During generation of NSEC3 RRs, hash values are supposedly unique.
+ In the (academic) case of a collision occurring, an alternative salt
+ MUST be chosen and all hash values MUST be regenerated.
+
+C.2.2. Second Preimage Requirement Analysis
+
+ A cryptographic hash function has a second-preimage resistance
+ property. The second-preimage resistance property means that it is
+ computationally infeasible to find another message with the same hash
+ value as a given message, i.e., given preimage X, to find a second
+ preimage X' != X such that hash(X) = hash(X'). The work factor for
+ finding a second preimage is of the order of 2^160 for SHA-1. To
+ mount an attack using an existing NSEC3 RR, an adversary needs to
+ find a second preimage.
+
+ Assuming an adversary is capable of mounting such an extreme attack,
+ the actual damage is that a response message can be generated that
+ claims that a certain QNAME (i.e., the second pre-image) does exist,
+ while in reality QNAME does not exist (a false positive), which will
+ either cause a security-aware resolver to re-query for the non-
+ existent name, or to fail the initial query. Note that the adversary
+ can't mount this attack on an existing name, but only on a name that
+ the adversary can't choose and that does not yet exist.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 50]
+
+RFC 5155 NSEC3 March 2008
+
+
+Authors' Addresses
+
+ Ben Laurie
+ Nominet
+ 17 Perryn Road
+ London W3 7LR
+ England
+
+ Phone: +44 20 8735 0686
+ EMail: ben@links.org
+
+
+ Geoffrey Sisson
+ Nominet
+ Minerva House
+ Edmund Halley Road
+ Oxford Science Park
+ Oxford OX4 4DQ
+ UNITED KINGDOM
+
+ Phone: +44 1865 332211
+ EMail: geoff-s@panix.com
+
+
+ Roy Arends
+ Nominet
+ Minerva House
+ Edmund Halley Road
+ Oxford Science Park
+ Oxford OX4 4DQ
+ UNITED KINGDOM
+
+ Phone: +44 1865 332211
+ EMail: roy@nominet.org.uk
+
+
+ David Blacka
+ VeriSign, Inc.
+ 21355 Ridgetop Circle
+ Dulles, VA 20166
+ US
+
+ Phone: +1 703 948 3200
+ EMail: davidb@verisign.com
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 51]
+
+RFC 5155 NSEC3 March 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al. Standards Track [Page 52]
+