You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Wildcard records require a non-existence proof either NSEC or NSEC3 to prove no exact match exists which is not included in AuthenticationChain created by this library. Standard DNSSEC validators would consider such chains bogus.
Let's say I want secret.buffrr.dev to use some certificate while everything else *.buffrr.dev to use another certificate, I could add the following records to my zone:
Using the validator in this library, I could fool it into accepting the TLSA record labelled *.buffrr.dev for _443._tcp.secret.buffrr.dev while a standard DNSSEC validator would not. If an RRSIG is covering a wildcard (determined by number of labels), then NSECs or NSEC3s are required in the AuthenticationChain to prove no exact match exists.
Since this BIP requires following the RFC, I would suggest either fixing it or perhaps reconsidering support for wildcard records. Otherwise, it won't be compatible with all the validators out there unless every integration of the BIP uses this exact implementation.
I appreciate the effort put into developing this library and making it generic enough for other use cases. I just gave it a quick pass but will try to go deeper once I have some time since i'm considering it for other projects. Btw RFC-9102 includes some test vectors in the appendix that might be helpful.
The text was updated successfully, but these errors were encountered:
Wildcard records require a non-existence proof either
NSEC
orNSEC3
to prove no exact match exists which is not included inAuthenticationChain
created by this library. Standard DNSSEC validators would consider such chainsbogus
.Let's say I want
secret.buffrr.dev
to use some certificate while everything else*.buffrr.dev
to use another certificate, I could add the following records to my zone:Using the validator in this library, I could fool it into accepting the TLSA record labelled
*.buffrr.dev
for_443._tcp.secret.buffrr.dev
while a standard DNSSEC validator would not. If an RRSIG is covering a wildcard (determined by number of labels), thenNSECs
orNSEC3s
are required in theAuthenticationChain
to prove no exact match exists.Since this BIP requires following the RFC, I would suggest either fixing it or perhaps reconsidering support for wildcard records. Otherwise, it won't be compatible with all the validators out there unless every integration of the BIP uses this exact implementation.
I appreciate the effort put into developing this library and making it generic enough for other use cases. I just gave it a quick pass but will try to go deeper once I have some time since i'm considering it for other projects. Btw RFC-9102 includes some test vectors in the appendix that might be helpful.
The text was updated successfully, but these errors were encountered: