On Tue, Jul 25, 2023 at 03:39:01PM -0700, Shumon Huque wrote:
> Viktor - your original suggestion was to only define the ENT sentinel
> instead of NXNAME. How would that solve the problem of systems and
> applications needing to precisely obtain the NXDOMAIN signal. Resolvers
> won't then be able to tell whether a NOERROR bitmap of "NSEC RRSIG"
> is a normal ENT response from a non Compact DoE implementation, or an
> NXDOMAIN response from a Compact DoE implementation.
For ENTs, there is no inconsistency, the nameserver can return a signed
answer with an empty RDATA for the ENTHERE (TBD) rtype.
; QUESTION:
ent.example. IN ENTHERE ?
; ANSWER:
ent.example. IN ENTHERE ""
ent.example. IN RRSIG ENTHERE ...
While for other RTYPEs:
; QUESTION:
ent.example. IN A ?
; AUTHORITY:
example. IN SOA ...
example. IN RRSIG SOA ...
ent.example. IN NSEC \000.ent.example. NSEC RRSIG ENTHERE
ent.example. IN RRSIG NSEC ...
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
