HiI think this is an excellent addition. One aspect I particularly appreciate is the use of the EXTRA-TEXT field to provide human-readable context. Being able to see not only that an NTA is in effect, but also /_which_/ NTA and _/why/ _it was applied, would be extremely valuable when diagnosing DNSSEC incidents.
If I'm not mistaken, the only extra work for DNSTAP conversion, parsing and log-shipping would be to capture the optional text in EDE 33 if or when bind9 implements it.
Thank you Carlos Horowicz Planisys On 17/06/2026 12:47, Joe Abley wrote:
Hi all, Babak, Sebastiaan and I put pen to paper and came up with the following: https://datatracker.ietf.org/doc/draft-farrokhi-dnsop-ede-nta/ https://github.com/farrokhi/id-ede-nta (working copy) The goal is to provide guidance about using a specific Extended DNS Error as an in-band signal that a Negative Trust Anchor is in effect in a resolver. It was inspired by the somewhat recent events with DE and the reaction to those events in 9.9.9.9 and 1.1.1.1. We now have a code-point assigned for the EDE (33), and implementation is planned in 1.1.1.1. This document is at most an informational document to act as a reference for the code-point assignment. It could be an individual submission; we don't necessarily see a need to engage the working group bureaucracy. However, the people on this list have a keen eye for detail and we would love to get some more review. If you have a chance to take a look, we'd appreciate it. Thanks, Joe
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
