Skip to content

Add support for Denial of Existence records (NSEC and NSEC3) #17

New issue
New issue
Open
Open
Add support for Denial of Existence records (NSEC and NSEC3)#17
Labels
enhancementNew feature or request
@gnarea

Description

@gnarea
gnarea
opened on Sep 16, 2022

We don't need DoE records in Vera, so we're not implementing them. However, we'd welcome PRs to support them.

Note that this missing feature does not represent a security vulnerability because DNSSEC verification will still fail -- it'll just throw an error instead of returning a SecurityStatus value.

High-level design

These are the main changes we have to make as of November 2022:

  • Message: Add support for Authority answers.
  • ZoneSigner: Add two methods, to be used in the tests: generateNsec() and generateNsec3().
  • Zone.initChild(): Change return type from VerificationResult<Zone> to VerificationResult<Zone | null>, and use null as a successful result when the DS response for the child zone denies the existence of such a record.
  • UnverifiedChain.verify(): Change return type from VerificationResult<RRSet> to VerificationResult<RRSet | null>, and use null as a successful result when the apex zone denies the existence of such an RRset.
  • Update README to remove comments about not supporting DoE records.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions