Hi Emmanuel,
On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <[email protected]> wrote:
> Cloudflare start to return TYPE65283 in their NSEC records for "compact
> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
> It actually break "minimal lies" NXDOMAIN established decoding
> implementations.
> Does someone know the TYPE65283 usage/purpose in this context ?
If a compact negative response includes an NSEC RR whose type bitmap only
includes NSEC and RRSIG, the response is is indistuishable from the case where
the name exists but is an empty non-terminal. Adding a special entry in the
type bitmap avoids that ambiguity and as a bonus provides an NXDOMAINish signal
as a kind of compromise to those consumers who are all pitchforky about the
RCODE. The spec currently calls that special type NXNAME.
https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
The spec is still a work in progress and the NXNAME type does not have a
codepoint. I believe TYPE65283 is being used as a placeholder. I think
Christian made a comment to that effect on this list last week, although I
think he may not have mentioned the specific RRTYPE that was to be used.
If this has caused something to break, more details would be good to hear!
Joe
>
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
