John it won’t work with chained validators. -- Mark Andrews
> On 15 Mar 2023, at 07:59, John Levine <[email protected]> wrote: > > It appears that Peter Thomassen <[email protected]> said: >> So I take it that when the EDNS signal is there, compact DoE responses get >> an NXDOMAIN code. >> >> In case the EDNS flag is not set, does the nameserver return (a) the compact >> proof (with sentinel in >> the type map) is sent, but with a NOERROR code, or (b) a classical proof (no >> sentinel), but with an >> NXDOMAIN code? > > It would return a RFC 4470 white lie, which does the same thing but is > larger since it needs two NSEC and two RRSIG records, one for the name > and one to show there's no wildcard. > > I wouldn't try to get any more clever. Just use an EDNS0 code in the > query to say compact results are OK. I'd like to use the same code to > say this result is really NXDOMAIN, but those aren't signed, so I > think we do need to assign a metatype to go in the signed NSEC. > > R's, > John > > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
