On Thu, 9 Jul 2026, Petr Špaček wrote:
It could do NXDOMAIN for the zone cut but I can see how that would be confusing too.

NXDOMAIN would require maintaining two NSEC chains (for delext-aware and delext-unaware clients) and that's big no-no from design standpoint.

I realize that would be painful, but it seems to me like the tail wagging the dog.

Personally when I think about permissible behavior I do it 'backwards': Start from a NSEC chain with delext-RRtype bit set in it, and then derive how responses with it would be interpreted by legacy clients who do not understand the new delext semantics.

Our fundamental problem is that there is no good way for a response to say "there's stuff here you could see if you upgraded your resolver" so everything is wrong in different ways. Per an argument from last wek, in practice most applications treat NOERROR and NXDOMAIN the same so the current spec seems no worse than any plausible alternative.

R's,
John

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to