RFC Errata
RFC 4470, "Minimally Covering NSEC Records and DNSSEC On-line Signing", April 2006
Source of RFC: dnsext (int)
Errata ID: 6734
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Mark Andrews
Date Reported: 2021-11-12
Section 4 says:
The first of these NSEC RRs proves that no exact match for foo.example.com exists, and the second proves that there is no wildcard in example.com.
It should say:
TBD
Notes:
"the second proves that there is no wildcard in example.com" is incorrect.
\)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
Actually proves that *.example.com exists as it is part of the next field. It is an empty non-terminal wildcard. '\000.domain' can only be used to prove no data exists at 'domain', not that 'domain' doesn't exist.