RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 4592, "The Role of Wildcards in the Domain Name System", July 2006

Source of RFC: dnsext (int)

Errata ID: 5119

Status: Reported
Type: Technical

Reported By: Karst Koymans
Date Reported: 2017-09-21

Section 4.7 says:

4.7.  NSEC RRSet at a Wildcard Domain Name

   Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
   Synthesis of these records will only occur when the query exactly
   matches the record.  Synthesized NSEC RRs will not be harmful as they
   will never be used in negative caching or to generate a negative
   response [RFC2308].

It should say:

4.7.  NSEC RRSet at a Wildcard Domain Name

   Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
   NSEC RRSets must not be synthesized from this wildcard NSEC.

Notes:

Synthesizing these records would destroy the semantics of the NSEC chain and could be very harmful if implementations would cache them and use them for "Aggressive Use of DNSSEC-Validated Cache" (RFC 8198).

Report New Errata