On Tue, Jul 25, 2023 at 03:39:01PM -0700, Shumon Huque wrote: > Viktor - your original suggestion was to only define the ENT sentinel > instead of NXNAME. How would that solve the problem of systems and > applications needing to precisely obtain the NXDOMAIN signal. Resolvers > won't then be able to tell whether a NOERROR bitmap of "NSEC RRSIG" > is a normal ENT response from a non Compact DoE implementation, or an > NXDOMAIN response from a Compact DoE implementation.
I may not have answered Shumon's question in full. The missing piece is that "NSEC RRSIG" isn't a "normal ENT response". In classic RFC 4035 DNSSEC, ENTs aren't part of the NSEC chain (NSEC records are associated only with names that appear as explicit nodes in the zone with at least one real RRset). To prove an ENT, a classic DNSSEC server returns: strictly-prior-node. IN NSEC descendent-of-ent. <bitmap for prior node> The fact that the next name is a descendent of the ENT, proves the existence of the ENT as an empty node. There are never any "NSEC RRSIG" bitmaps is classic DNSSEC. This combination has to mean something special is going on. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop