Don't set the NSEC3 opt-out bit in your own zones

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Sep 8 21:39:56 CEST 2018 

The NSEC3 opt-out bit allows DNS registry operators of public suffix
domains (TLDs like .com, 2LDs like .co.uk, ...) where most delegations
are unsigned to save CPU time and space by including only the signed
delegations in their NSEC3 chain.  While this is handy for such
domains with lots of insecure delegations, it is otherwise a bad
idea.  Unless you're a TLD/2LD operator of that sort, DO NOT set
the opt-bit in your NSEC3PARAM record.

Here's one example of what can go wrong:

    http://dnsviz.net/d/_25._tcp.mail.ormanns.net/dnssec/

Until today, the ormanns.net domain used to have working secure
TLSA records for its MX host:

    ormanns.net. IN MX 0 mail.ormanns.net. ; NoError AD=1
    mail.ormanns.net. IN A 37.120.182.194 ; NoError AD=1
    mail.ormanns.net. IN AAAA 2a03:4000:15:7e:: ; NoError AD=1

but then the TLSA record:

    _25._tcp.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8

was replaced with a wildcard:

    *._tcp.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8

unfortunately, while the zone is DNSSEC-signed, and the wildcard
recurd is "secure", denial of existence of the removed TLSA RR for
_25._tcp.mail.ormanns.net is "insecure" because of the NSEC3 opt-out
bit.  And so the wild-card synthesized TLSA is also "insecure" and
the domain is no longer DANE-protected.

One could keep the NSEC3 opt-bit bit and carefully add desired
CNAMEs to share a TLSA record across services:

    _dane.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8
    _25._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net.
    _587._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net.
    _465._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net.
    _443._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net.

But, whether that's a good idea or not, it is far better to avoid
NSEC3 opt-out and have secure denial of existence for all names in
the zone, and then wildcards don't bring any security surprises.

-- 
	Viktor.

More information about the dane-users mailing list