RFC Errata
RFC 6672, "DNAME Redirection in the DNS", June 2012
Source of RFC: dnsext (int)See Also: RFC 6672 w/ inline errata
Errata ID: 5298
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Pieter Lexis
Date Reported: 2018-03-02
Verifier Name: Eric Vyncke
Date Verified: 2023-08-03
Section 5.3.4.2 says:
;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question cee.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature]
It should say:
;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question cee.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC bar.example.com. RRSIG NSEC [valid signature]
Notes:
The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap
Edit: Thread - https://www.ietf.org/mail-archive/web/dnsext/current/msg13879.html