RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 4470, "Minimally Covering NSEC Records and DNSSEC On-line Signing", April 2006

Source of RFC: dnsext (int)

Errata ID: 6734
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Mark Andrews
Date Reported: 2021-11-12

Section 4 says:

   The first of these NSEC RRs proves that no exact match for
   foo.example.com exists, and the second proves that there is no
   wildcard in example.com.

It should say:



"the second proves that there is no wildcard in example.com" is incorrect.

\255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )

Actually proves that *.example.com exists as it is part of the next field. It is an empty non-terminal wildcard. '\000.domain' can only be used to prove no data exists at 'domain', not that 'domain' doesn't exist.

Report New Errata

Advanced Search