On Thu, 9 Jul 2026, Petr Špaček wrote:
It could do NXDOMAIN for the zone cut but I can see how that would be
confusing too.
NXDOMAIN would require maintaining two NSEC chains (for delext-aware and
delext-unaware clients) and that's big no-no from design standpoint.
I realize that would be painful, but it seems to me like the tail wagging
the dog.
Personally when I think about permissible behavior I do it 'backwards': Start
from a NSEC chain with delext-RRtype bit set in it, and then derive how
responses with it would be interpreted by legacy clients who do not
understand the new delext semantics.
Our fundamental problem is that there is no good way for a response to say
"there's stuff here you could see if you upgraded your resolver" so
everything is wrong in different ways. Per an argument from last wek, in
practice most applications treat NOERROR and NXDOMAIN the same so the
current spec seems no worse than any plausible alternative.
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]