On Mon, Jul 24, 2023 at 07:08:29PM -0700, Brian Dickson wrote:
> I believe there are three potential query/answer things that on-line
> signers want to compactly respond to:
>
> 1. Name exists, other types exist, queried type does not exist
> 2. Name exists, no types exist (ENT), queried type does not exist
> 3. Name does not exist
>
> What if, rather than a response that needs inference for (3), an explicit
> response is provided, in the form of a signed record?
> It might not ever need to occur in an NSEC bitmap, since the name itself
> doesn't exist.
>
> For NXDOMAIN, respond with an actual NXNAME (no RDATA) and corresponding
> RRSIG.
The issue with that is that this is not the RTYPE in the query, and the
response is therefore bogus/irrelevant from the perspective of legacy
validating resolvers. This would require all validating resolvers to
implement the NXNAME rtype as a new valid authenticated denial of
existence signal, so the adoption path is noticeably more complex.
Perhaps (interoperability permitting, TBD) another option is to send an
empty type bitmap for one of NXDOMAIN vs. ENT and NSEC + RRSIG for the
other, this involves no new RTYPEs, just a different "shape" answer.
More generally, any two distinct bitmap choices from:
- Empty
- Just NSEC
- Just RRSIG
- Both NSEC and RRSIG
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
