Appendix B. Example Responses
Appendix B. Example Responses
The examples in this section show response messages using the signed zone example in Appendix A.
B.1. Name Error
An authoritative name error. The NSEC3 RRs prove that the name does not exist and that there is no wildcard RR that should have been expanded.
;; Header: QR AA DO RCODE=3
;;
;; Question
;; Answer
;; (empty)
;; Authority
3600000 3600 )
40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
20150420235959 20051021000000 40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
;; NSEC3 RR that matches the closest encloser (x.w.example)
;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
20150420235959 20051021000000 40430 example.
ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
20150420235959 20051021000000 40430 example.
g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== )
;; Additional
;; (empty)
The query returned three NSEC3 RRs that prove that the requested data
does not exist and that no wildcard expansion applies. The negative
response is authenticated by verifying the NSEC3 RRs. The
corresponding RRSIGs indicate that the NSEC3 RRs are signed by an
"example" DNSKEY of algorithm 7 and with key tag 40430. The resolver
needs the corresponding DNSKEY RR in order to authenticate this
answer.
One of the owner names of the NSEC3 RRs matches the closest encloser.
One of the NSEC3 RRs prove that there exists no longer name. One of
the NSEC3 RRs prove that there exists no wildcard RRSets that should
have been expanded. The closest encloser can be found by applying
the algorithm in Section 8.3.
In the above example, the name 'x.w.example' hashes to
'b4um86eghhds6nea196smvmlo4ors995'. This indicates that this might
be the closest encloser. To prove that 'c.x.w.example' and
'*.x.w.example' do not exist, these names are hashed to,
respectively, '0va5bpr2ou0vk0lbqeeljri88laipsfh' and
'92pqneegtaue7pjatc3l3qnk738c6v5m'. The first and last NSEC3 RRs
prove that these hashed owner names do not exist.
B.2. No Data Error
A "no data" response. The NSEC3 RR proves that the name exists and that the requested RR type does not.
;; Header: QR AA DO RCODE=0
;;
;; Question
;; Answer
;; (empty)
;; Authority
3600000 3600 )
40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
;; NSEC3 RR matches the QNAME and shows that the MX type bit is not set.
2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
20150420235959 20051021000000 40430 example.
OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN 4TFoNxZuP03gAXEI634YwOc4YBNITrj413iq NI6mRk/r1dOSUw== )
;; Additional
;; (empty)
The query returned an NSEC3 RR that proves that the requested name
exists ("ns1.example." hashes to "2t7b4g4vsa5smi47k61mv5bv1a22bojr"),
but the requested RR type does not exist (type MX is absent in the
type code list of the NSEC3 RR), and was not a CNAME (type CNAME is
also absent in the type code list of the NSEC3 RR).
B.2.1. No Data Error, Empty Non-Terminal
A "no data" response because of an empty non-terminal. The NSEC3 RR proves that the name exists and that the requested RR type does not.
;; Header: QR AA DO RCODE=0
;;
;; Question
y.w.example. IN A
;; Answer
;; (empty)
;; Authority
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
;; NSEC3 RR matches the QNAME and shows that the A type bit is not set.
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
k8udemvp1j2f7eg6jebps17vp3n8i58h )
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj7
2F3kQ490fEdp7k1BUIfbcZtPbX3YCpE+sIt0
MpzVSKfTwx4uYA== )
;; Additional
;; (empty)
The query returned an NSEC3 RR that proves that the requested name
exists ("y.w.example." hashes to "ji6neoaepv8b5o6k4ev33abha8ht9fgc"),
but the requested RR type does not exist (Type A is absent in the
Type Bit Maps field of the NSEC3 RR). Note that, unlike an empty
non-terminal proof using NSECs, this is identical to a No Data Error.
This example is solely mentioned to be complete.
B.3. Referral to an Opt-Out Unsigned Zone
The NSEC3 RRs prove that nothing for this delegation was signed. There is no proof that the unsigned delegation exists.
;; Header: QR DO RCODE=0
;;
;; Question
mc.c.example. IN MX
;; Answer
;; (empty)
;; Authority
c.example. NS ns1.c.example.
NS ns2.c.example.
;; NSEC3 RR that covers the "next closer" name (c.example)
;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ
Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ
XtAIR3chwgW+SA== )
;; NSEC3 RR that matches the closest encloser (example)
;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
SOA NSEC3PARAM RRSIG )
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL
IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762
BOCXJZMnpuwhpA== )
;; Additional
ns1.c.example. A 192.0.2.7
ns2.c.example. A 192.0.2.8
The query returned a referral to the unsigned "c.example." zone. The
response contains the closest provable encloser of "c.example" to be
"example", since the hash of "c.example"
("4g6p9u5gvfshp30pqecj98b3maqbn1ck") is covered by the first NSEC3 RR and its Opt-Out bit is set.
B.4. Wildcard Expansion
A query that was answered with a response containing a wildcard expansion. The label count in the RRSIG RRSet in the answer section indicates that a wildcard RRSet was expanded to produce this response, and the NSEC3 RR proves that no "next closer" name exists in the zone.
;; Header: QR AA DO RCODE=0
;;
;; Question
a.z.w.example. IN MX
;; Answer
a.z.w.example. MX 1 ai.example.
a.z.w.example. RRSIG MX 7 2 3600 20150420235959 20051021000000 (
40430 example.
CikebjQwGQPwijVcxgcZcSJKtfynugtlBiKb
9FcBTrmOoyQ4InoWVudhCWsh/URX3lc4WRUM
ivEBP6+4KS3ldA== )
;; Authority
example. NS ns1.example.
example. NS ns2.example.
example. RRSIG NS 7 1 3600 20150420235959 20051021000000 (
40430 example.
PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ
qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv
CnMXjtz6SyObxA== )
;; NSEC3 RR that covers the "next closer" name (z.w.example)
;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3
ZxlMKimoPAyqletMlEWwLfFia7sdpSzn+ZlN
NlkxWcLsIlMmUg== )
;; Additional
ai.example. A 192.0.2.9
ai.example. RRSIG A 7 2 3600 20150420235959 20051021000000 (
40430 example.
hVe+wKYMlObTRPhX0NL67GxeZfdxqr/QeR6F
tfdAj5+FgYxyzPEjIzvKWy00hWIl6wD3Vws+
rznEn8sQ64UdqA== )
ai.example. AAAA 2001:db8:0:0:0:0:f00:baa9
ai.example. RRSIG AAAA 7 2 3600 20150420235959 20051021000000 (
40430 example.
LcdxKaCB5bGZwPDg+3JJ4O02zoMBrjxqlf6W
uaHQZZfTUpb9Nf2nxFGe2XRPfR5tpJT6GdRG
cHueLuXkMjBArQ== )
The query returned an answer that was produced as a result of a
wildcard expansion. The answer section contains a wildcard RRSet
expanded as it would be in a traditional DNS response. The RRSIG
Labels field value of 2 indicates that the answer is the result of a
wildcard expansion, as the "a.z.w.example" name contains 4 labels.
This also shows that "w.example" exists, so there is no need for an
NSEC3 RR that matches the closest encloser.
The NSEC3 RR proves that no closer match could have been used to
answer this query.
B.5. Wildcard No Data Error
A "no data" response for a name covered by a wildcard. The NSEC3 RRs prove that the matching wildcard name does not have any RRs of the requested type and that no closer match exists in the zone.
;; Header: QR AA DO RCODE=0
;;
;; Question
a.z.w.example. IN AAAA
;; Answer
;; (empty)
;; Authority
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 (
3600000 3600 )
example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 (
40430 example.
Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i
q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd
VI2LmKusbZsT0Q== )
;; NSEC3 RR that matches the closest encloser (w.example)
;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
FtXGbvF0+wf8iWkyo73enAuVx03klN+pILBK
S6qCcftVtfH4yVzsEZquJ27NHR7ruxJWDNMt
Otx7w9WfcIg62A== )
;; NSEC3 RR that covers the "next closer" name (z.w.example)
;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3
ZxlMKimoPAyqletMlEWwLfFia7sdpSzn+ZlN
NlkxWcLsIlMmUg== )
;; NSEC3 RR that matches a wildcard at the closest encloser.
;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 7 2 3600 (
20150420235959 20051021000000 40430 example.
aupviViruXs4bDg9rCbezzBMf9h1ZlDvbW/C
ZFKulIGXXLj8B/fsDJarXVDA9bnUoRhEbKp+
HF1FWKW7RIJdtQ== )
;; Additional
;; (empty)
The query returned the NSEC3 RRs that prove that the requested data
does not exist and no wildcard RR applies.
B.6. DS Child Zone No Data Error
A "no data" response for a QTYPE=DS query that was mistakenly sent to a name server for the child zone.
;; Header: QR AA DO RCODE=0
;;
;; Question
;; Answer
;; (empty)
;; Authority
3600000 3600 )
40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
;; NSEC3 RR matches the QNAME and shows that the DS type bit is not set.
2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
20150420235959 20051021000000 40430 example.
OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
;; Additional
;; (empty)
The query returned an NSEC3 RR showing that the requested was
answered by the server authoritative for the zone "example". The
NSEC3 RR indicates the presence of an SOA RR, showing that this NSEC3
RR is from the apex of the child, not from the zone cut of the
parent. Queries for the "example" DS RRSet should be sent to the
parent servers (which are in this case the root servers).