On Tue, Jul 25, 2023 at 10:43:25AM -0700, Shumon Huque wrote:
> Ok, yes, I understand now, thanks. An NXNAME ignorant validator
> will treat a response to a query for the NXNAME type specifically
> as bogus, and could spray a bunch of follow-on queries to other
> servers for the zone before giving up and returning SERVFAIL.
>
> If the Compact DoE authority is specially defined to return only
> "NSEC RRSIG" in the type bitmap for explicit NXNAME queries
> for a non-existent name, doesn't that solve the problem?
Yes, that could solve the problem, though NXNAME-aware resolvers would
need a somewhat tricky cache state, that holds and returns:
- The NSEC record with the "NSEC RRSIG NXNAME" bitmap for most
RTYPEs
- The "NSEC RRSIG" bitmap if explicitly asked for NXNAME.
The draft should describe the behaviour expected from auth servers,
and validating resolvers, including their responses upstream.
To me a single signed record that proves NXDOMAIN regardless of the
query RTYPE sure looks simpler! The above is noticeably kludgier.
Especially simple would be using just distinct combinations of
"NSEC" and "RRSIG" for NXDOMAIN vs ENT, with no new sentinel
types, provided resolvers can gracefully handle bare-bones
bitmaps that include a proper subset of "NSEC RRSIG".
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
