Add support for Denial of Existence records (NSEC and NSEC3)

Question

Add support for Denial of Existence records (NSEC and NSEC3)

gnarea opened this issue 2 years ago · 0 comments

We don't need DoE records in Vera, so we're not implementing them. However, we'd welcome PRs to support them.

Note that this missing feature does not represent a security vulnerability because DNSSEC verification will still fail -- it'll just throw an error instead of returning a SecurityStatus value.

High-level design

These are the main changes we have to make as of November 2022:

Message: Add support for Authority answers.
ZoneSigner: Add two methods, to be used in the tests: generateNsec() and generateNsec3().
Zone.initChild(): Change return type from VerificationResult<Zone> to VerificationResult<Zone | null>, and use null as a successful result when the DS response for the child zone denies the existence of such a record.
UnverifiedChain.verify(): Change return type from VerificationResult<RRSet> to VerificationResult<RRSet | null>, and use null as a successful result when the apex zone denies the existence of such an RRset.
Update README to remove comments about not supporting DoE records.