Dear colleagues, NS1 is going to deploy a change to the Compact Denial of Existence in DNSSEC which modifies the signaling for empty non-terminals and non-existent names in the NSEC bit map.
Currently, we include TYPE65281 in the NSEC bit map for empty non-terminals. We are going to remove that bit and instead set TYPE65283 in the NSEC bit map for non-existent names. If you prefer examples, we are moving from the following: empty.example. IN NSEC \000.empty.example. RRSIG NSEC TYPE65281 nx.example. IN NSEC \000.nx.example. RRSIG NSEC To the next: empty.example. IN NSEC \000.empty.example. RRSIG NSEC nx.example. IN NSEC \000.nx.example. RRSIG NSEC TYPE65283 The change is done in order to get the behavior aligned with draft-ietf-dnsop-compact-denial-of-existence-01. The code point 65283 was chosen for consistency with Cloudflare's implementation and it will be updated once the value for NXNAME is assigned. Please, let me know if you have questions. We expect the change to be deployed in the following weeks. Best regards, Jan Včelák (for NS1, an IBM Company) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
