Hi

I think this is an excellent addition. One aspect I particularly appreciate is the use of the EXTRA-TEXT field to provide human-readable context. Being able to see not only that an NTA is in effect, but also /_which_/ NTA and _/why/ _it was applied, would be extremely valuable when diagnosing DNSSEC incidents.

If I'm not mistaken, the only extra work for DNSTAP conversion, parsing and log-shipping would be to capture the optional text in EDE 33 if or when bind9 implements it.

Thank you

Carlos Horowicz
Planisys

On 17/06/2026 12:47, Joe Abley wrote:
Hi all,

Babak, Sebastiaan and I put pen to paper and came up with the following:

https://datatracker.ietf.org/doc/draft-farrokhi-dnsop-ede-nta/

https://github.com/farrokhi/id-ede-nta (working copy)

The goal is to provide guidance about using a specific Extended DNS Error as an 
in-band signal that a Negative Trust Anchor is in effect in a resolver. It was 
inspired by the somewhat recent events with DE and the reaction to those events 
in 9.9.9.9 and 1.1.1.1.

We now have a code-point assigned for the EDE (33), and implementation is 
planned in 1.1.1.1.

This document is at most an informational document to act as a reference for 
the code-point assignment. It could be an individual submission; we don't 
necessarily see a need to engage the working group bureaucracy. However, the 
people on this list have a keen eye for detail and we would love to get some 
more review. If you have a chance to take a look, we'd appreciate it.

Thanks,


Joe
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to