RFC 9824 on Compact Denial of Existence in DNSSEC says how to generate
miniallly covering DNSSEC signatures on the fly which works great so long
as the name exists. If it doesn't, we invented the NXNAME psedudo-RRtype
as a flag to say this response is really an NXDOMAIN. Section 5 describes
that and encourages resolvers to return a real NXDOMAIN.
Over in another working group I got an proposed errata for RFC9989 saying
that where it says applications check for NXDOMAIN, they also have to
check for NXNAME, for resolvers that don't recover the NXDOMAIN. I
rejected it but he insists claiming that (approximately) the resolvers
he's seen don't actually recover NXDOMAIN.
It seems to me that's a bug in the resolver, that's the whole point of the
CO flag and NXNAME. The alternative is to file a similar erratum on every
RFC that mentions NXDOMAIN. What do you think?
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]