On 13 Jul 2026, at 16:51, Petr Špaček <[email protected]> wrote: >> If there was a really good use case for machine-parsing the information in >> the EXTRA-TEXT perhaps that would be convincing, but I can't really think of >> one. > > For this specific case, say a diagnostic tool tools might provide detail than > 'AD=0, some NTA somewhere in effect'. > > Instead if might say something like ... Answer > wwww.example.com CNAME 1234.cdn.example > 1234.cdn.example HTTPS ... > has AD=0 because NTA is activa at cdn.example.com. > > And this can be in French because the tool could ingest the EDE + domain name > in structured form and provide localized output. > > Or the research stats could actually be made more reliable than hand-written > regexes.
Mmmmmmm. I sense this is a can of worms, but perhaps that's just because you mentioned human languages, which as we know are a gateway drug for talking about scripts. The implementation we have live at Cloudflare does not mention the particular NTA that is in place. So for example the following example is less helpful than you had hoped for: jabley@manta ~ % dig @1.1.1.1 ntamuch.org soa ; <<>> DiG 9.20.24 <<>> @1.1.1.1 ntamuch.org soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58068 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 33: (a Negative Trust Anchor has been applied for this query (see RFC 7646)) ;; QUESTION SECTION: ;ntamuch.org. IN SOA ;; ANSWER SECTION: ntamuch.org. 1800 IN SOA barbara.ns.cloudflare.com. dns.cloudflare.com. 2407706086 10000 2400 604800 1800 ;; Query time: 24 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP) ;; WHEN: Mon Jul 13 17:11:49 CEST 2026 ;; MSG SIZE rcvd: 181 jabley@manta ~ % You can't tell from that response that the NTA is applied to the NTAMUCH.ORG zone (which is what is going on) or whether there's some other NTA installed at ORG (there isn't). Or maybe there could be NTAs installed at both for different reasons. Maybe that response could have been validated and would have been fine. All you know is that you have received a response for a name that is covered by an NTA. I appreciate other implementations might return different information in there, including more helpful detail of the kind you suggest. I think there's some benefit in not over-specifying the message format, though. I don't know that it's reasonable to anticipate every element of data that anybody might want to see, or even to propose an optional schema if it turns out it doesn't suit some implementations. The core goal with this was to give the system receiving a response that normally would have been suppressed due to validation some clue as to what is happening. I don't actually think we need any EXTRA-TEXT for that. I'm interested to hear from others what they think about this. Babak and I will also be in Vienna and I think we're on one of the dnsop agendas, so maybe this is also a good question for the mic line. Joe _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
