RFC 9824 on Compact Denial of Existence in DNSSEC says how to generate miniallly covering DNSSEC signatures on the fly which works great so long as the name exists. If it doesn't, we invented the NXNAME psedudo-RRtype as a flag to say this response is really an NXDOMAIN. Section 5 describes that and encourages resolvers to return a real NXDOMAIN.

Over in another working group I got an proposed errata for RFC9989 saying that where it says applications check for NXDOMAIN, they also have to check for NXNAME, for resolvers that don't recover the NXDOMAIN. I rejected it but he insists claiming that (approximately) the resolvers he's seen don't actually recover NXDOMAIN.

It seems to me that's a bug in the resolver, that's the whole point of the CO flag and NXNAME. The alternative is to file a similar erratum on every RFC that mentions NXDOMAIN. What do you think?

Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to