On Wed, Jul 28, 2021 at 7:42 AM Ralf Weber <[email protected]> wrote: > Moin! > > On 28 Jul 2021, at 1:34, Shumon Huque wrote: > > > The Black Lies method of providing compact DNSSEC denial of existence > > proofs has some operational implications. Depending on the specific > > implementation, it may provide no way to reliably distinguish Empty > > Non-Terminal names from names that actually do not exist. This draft > > describes the use of a synthetic DNS resource record type to act as > > an explicit signal for Empty Non-Terminal names and which is conveyed > > in an NSEC type bitmap. > Hmm I may be sleep deprived, but the way I read this is that instead of > giving back NoError/NoData and a standard NSEC responses I now have to > give back an additional record type, so that some client can distinguish > that > as not being NXDomain, which according to the answer it never was? > > Does this mean we would have to change all existing authoritative server > to add this record type to signal an empty non terminal responses? >
Hi Ralph, No. This is only for Black Lies implementations (which lie about NXDOMAIN). If you don't do Black Lies, you don't have to do anything. Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
