Net-DNS-Codes
view release on metacpan or search on metacpan
extra_docs/rfc5155.txt view on Meta::CPAN
[RFC2929] Eastlake, D., Brunner-Williams, E., and B. Manning,
"Domain Name System (DNS) IANA Considerations",
BCP 42, RFC 2929, September 2000.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
Record (RR) Types", RFC 3597, September 2003.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D.,
and S. Rose, "DNS Security Introduction and
Requirements", RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D.,
and S. Rose, "Resource Records for the DNS Security
Extensions", RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D.,
and S. Rose, "Protocol Modifications for the DNS
Security Extensions", RFC 4035, March 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
13.2. Informative References
[DNSEXT-NO] Josefsson, S., "Authenticating Denial of Existence
in DNS with Minimum Disclosure", Work in Progress,
July 2000.
[DNSEXT-NSEC2v2] Laurie, B., "DNSSEC NSEC2 Owner and RDATA Format",
Work in Progress, December 2004.
[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
RFC 2672, August 1999.
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898,
September 2000.
[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the
Domain Name System (DNS)", RFC 3833, August 2004.
[RFC4592] Lewis, E., "The Role of Wildcards in the Domain
Name System", RFC 4592, July 2006.
[RFC4956] Arends, R., Kosters, M., and D. Blacka, "DNS
Security (DNSSEC) Opt-In", RFC 4956, July 2007.
Appendix A. Example Zone
This is a zone showing its NSEC3 RRs. They can also be used as test
vectors for the hash algorithm.
The overall TTL and class are specified in the SOA RR, and are
subsequently omitted for clarity.
The zone is preceded by a list that contains the hashes of the
original ownernames.
; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl
; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi
; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r
; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc
; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv
; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example)
; = kohar7mbb8dc2ce8a9qvl8hon4k53uhi
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
NS ns1.example.
NS ns2.example.
RRSIG NS 7 1 3600 20150420235959 20051021000000 (
40430 example.
PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ
qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv
CnMXjtz6SyObxA== )
MX 1 xx.example.
RRSIG MX 7 1 3600 20150420235959 20051021000000 (
40430 example.
GgQ1A9xs47k42VPvpL/a1BWUz/6XsnHkjotw
9So8MQtZtl2wJBsnOQsaoHrRCrRbyriEl/GZ
n9Mto/Kx+wBo+w== )
DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
TY4hHn9npWFRw5BYubE= )
DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
AbsUdblMFin8CVF3n4s= )
RRSIG DNSKEY 7 1 3600 20150420235959 (
20051021000000 12708 example.
AuU4juU9RaxescSmStrQks3Gh9FblGBlVU31
uzMZ/U/FpsUb8aC6QZS+sTsJXnLnz7flGOsm
MGQZf3bH+QsCtg== )
NSEC3PARAM 1 0 12 aabbccdd
RRSIG NSEC3PARAM 7 1 3600 20150420235959 (
20051021000000 40430 example.
C1Gl8tPZNtnjlrYWDeeUV/sGLCyy/IHie2re
rN05XSA3Pq0U3+4VvGWYWdUMfflOdxqnXHwJ
TLQsjlkynhG6Cg== )
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
SOA NSEC3PARAM RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
BOCXJZMnpuwhpA== )
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
RRSIG A 7 2 3600 20150420235959 20051021000000 (
40430 example.
h6c++bzhRuWWt2bykN6mjaTNBcXNq5UuL5Ed
K+iDP4eY8I0kSiKaCjg3tC1SQkeloMeub2GW
k8p6xHMPZumXlw== )
NSEC3 1 1 12 aabbccdd (
2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN
4TFoNxZuP03gAXEI634YwOc4YBNITrj413iq
NI6mRk/r1dOSUw== )
2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
KL1V2oFYghNV0Hm7Tf2vpJjM6l+0g1JCcVYG
VfI0lKrhPmTsOA96cLEACgo1x8I7kApJX+ob
TuktZ+sdsZPY1w== )
35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
XtAIR3chwgW+SA== )
a.example. NS ns1.a.example.
NS ns2.a.example.
DS 58470 5 1 (
3079F1593EBAD6DC121E202A8B766A6A4837206C )
RRSIG DS 7 2 3600 20150420235959 20051021000000 (
40430 example.
XacFcQVHLVzdoc45EJhN616zQ4mEXtE8FzUh
M2KWjfy1VfRKD9r1MeVGwwoukOKgJxBPFsWo
o722vZ4UZ2dIdA== )
ns1.a.example. A 192.0.2.5
ns2.a.example. A 192.0.2.6
ai.example. A 192.0.2.9
RRSIG A 7 2 3600 20150420235959 20051021000000 (
40430 example.
hVe+wKYMlObTRPhX0NL67GxeZfdxqr/QeR6F
tfdAj5+FgYxyzPEjIzvKWy00hWIl6wD3Vws+
rznEn8sQ64UdqA== )
HINFO "KLH-10" "ITS"
RRSIG HINFO 7 2 3600 20150420235959 20051021000000 (
40430 example.
Yi42uOq43eyO6qXHNvwwfFnIustWgV5urFcx
enkLvs6pKRh00VBjODmf3Z4nMO7IOl6nHSQ1
v0wLHpEZG7Xj2w== )
AAAA 2001:db8:0:0:0:0:f00:baa9
RRSIG AAAA 7 2 3600 20150420235959 20051021000000 (
40430 example.
LcdxKaCB5bGZwPDg+3JJ4O02zoMBrjxqlf6W
uaHQZZfTUpb9Nf2nxFGe2XRPfR5tpJT6GdRG
cHueLuXkMjBArQ== )
b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh
5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3
pOv0TSTyiTxIZg== )
c.example. NS ns1.c.example.
NS ns2.c.example.
ns1.c.example. A 192.0.2.7
ns2.c.example. A 192.0.2.8
gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
RRSIG )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
IVnezTJ9iqblFF97vPSmfXZ5Zozngx3KX3by
LTZC4QBH2dFWhf6scrGFZB980AfCxoD9qbbK
Dy+rdGIeRSVNyw== )
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
k8udemvp1j2f7eg6jebps17vp3n8i58h )
RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 (
40430 example.
extra_docs/rfc5155.txt view on Meta::CPAN
40430 example.
IXBcXORITNwd8h3gNwyxtYFvAupS/CYWufVe
uBUX0O25ivBCULjZjpDxFSxfohb/KA7YRdxE
NzYfMItpILl/Xw== )
Appendix B. Example Responses
The examples in this section show response messages using the signed
zone example in Appendix A.
B.1. Name Error
An authoritative name error. The NSEC3 RRs prove that the name does
not exist and that there is no wildcard RR that should have been
expanded.
;; Header: QR AA DO RCODE=3
;;
;; Question
a.c.x.w.example. IN A
;; Answer
;; (empty)
;; Authority
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
SOA NSEC3PARAM RRSIG )
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
BOCXJZMnpuwhpA== )
;; NSEC3 RR that matches the closest encloser (x.w.example)
;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh
5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3
pOv0TSTyiTxIZg== )
;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
XtAIR3chwgW+SA== )
;; Additional
;; (empty)
The query returned three NSEC3 RRs that prove that the requested data
does not exist and that no wildcard expansion applies. The negative
response is authenticated by verifying the NSEC3 RRs. The
corresponding RRSIGs indicate that the NSEC3 RRs are signed by an
"example" DNSKEY of algorithm 7 and with key tag 40430. The resolver
needs the corresponding DNSKEY RR in order to authenticate this
answer.
One of the owner names of the NSEC3 RRs matches the closest encloser.
One of the NSEC3 RRs prove that there exists no longer name. One of
the NSEC3 RRs prove that there exists no wildcard RRSets that should
have been expanded. The closest encloser can be found by applying
the algorithm in Section 8.3.
In the above example, the name 'x.w.example' hashes to
'b4um86eghhds6nea196smvmlo4ors995'. This indicates that this might
be the closest encloser. To prove that 'c.x.w.example' and
'*.x.w.example' do not exist, these names are hashed to,
respectively, '0va5bpr2ou0vk0lbqeeljri88laipsfh' and
'92pqneegtaue7pjatc3l3qnk738c6v5m'. The first and last NSEC3 RRs
prove that these hashed owner names do not exist.
B.2. No Data Error
A "no data" response. The NSEC3 RR proves that the name exists and
that the requested RR type does not.
;; Header: QR AA DO RCODE=0
;;
;; Question
ns1.example. IN MX
;; Answer
;; (empty)
;; Authority
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
;; NSEC3 RR matches the QNAME and shows that the MX type bit is not set.
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd (
2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN
4TFoNxZuP03gAXEI634YwOc4YBNITrj413iq
extra_docs/rfc5155.txt view on Meta::CPAN
A "no data" response because of an empty non-terminal. The NSEC3 RR
proves that the name exists and that the requested RR type does not.
;; Header: QR AA DO RCODE=0
;;
;; Question
y.w.example. IN A
;; Answer
;; (empty)
;; Authority
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
;; NSEC3 RR matches the QNAME and shows that the A type bit is not set.
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
k8udemvp1j2f7eg6jebps17vp3n8i58h )
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj7
2F3kQ490fEdp7k1BUIfbcZtPbX3YCpE+sIt0
MpzVSKfTwx4uYA== )
;; Additional
;; (empty)
The query returned an NSEC3 RR that proves that the requested name
exists ("y.w.example." hashes to "ji6neoaepv8b5o6k4ev33abha8ht9fgc"),
but the requested RR type does not exist (Type A is absent in the
Type Bit Maps field of the NSEC3 RR). Note that, unlike an empty
non-terminal proof using NSECs, this is identical to a No Data Error.
This example is solely mentioned to be complete.
B.3. Referral to an Opt-Out Unsigned Zone
The NSEC3 RRs prove that nothing for this delegation was signed.
There is no proof that the unsigned delegation exists.
;; Header: QR DO RCODE=0
;;
;; Question
mc.c.example. IN MX
;; Answer
;; (empty)
;; Authority
c.example. NS ns1.c.example.
NS ns2.c.example.
;; NSEC3 RR that covers the "next closer" name (c.example)
;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
XtAIR3chwgW+SA== )
;; NSEC3 RR that matches the closest encloser (example)
;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
SOA NSEC3PARAM RRSIG )
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
BOCXJZMnpuwhpA== )
;; Additional
ns1.c.example. A 192.0.2.7
ns2.c.example. A 192.0.2.8
The query returned a referral to the unsigned "c.example." zone. The
response contains the closest provable encloser of "c.example" to be
"example", since the hash of "c.example"
("4g6p9u5gvfshp30pqecj98b3maqbn1ck") is covered by the first NSEC3 RR
and its Opt-Out bit is set.
B.4. Wildcard Expansion
A query that was answered with a response containing a wildcard
expansion. The label count in the RRSIG RRSet in the answer section
indicates that a wildcard RRSet was expanded to produce this
response, and the NSEC3 RR proves that no "next closer" name exists
in the zone.
;; Header: QR AA DO RCODE=0
;;
;; Question
a.z.w.example. IN MX
;; Answer
a.z.w.example. MX 1 ai.example.
a.z.w.example. RRSIG MX 7 2 3600 20150420235959 20051021000000 (
40430 example.
CikebjQwGQPwijVcxgcZcSJKtfynugtlBiKb
9FcBTrmOoyQ4InoWVudhCWsh/URX3lc4WRUM
ivEBP6+4KS3ldA== )
;; Authority
example. NS ns1.example.
example. NS ns2.example.
example. RRSIG NS 7 1 3600 20150420235959 20051021000000 (
40430 example.
PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ
qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv
CnMXjtz6SyObxA== )
;; NSEC3 RR that covers the "next closer" name (z.w.example)
;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
( run in 0.721 second using v1.01-cache-2.11-cpan-df04353d9ac )