On 06/03/2023 03.35, Shumon Huque wrote:
I suspect that unilaterally putting NXDOMAIN into the rcode field will break a lot of validator code. They are likely to use the rcode to advise them on what type of proof to look for in the message body, and they won't find a traditional NXDOMAIN proof.
My understanding of RFCs is that NXDOMAIN or NOERROR are a mandatory part of what needs to be proven by the records inside. If the proof doesn't match the RCODE, surely validators should SERVFAIL. I don't think you can salvage this by a simple new EDNS option; it's the signed records where you need to prove the result you want.
--Vladimir | knot-resolver.cz
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
