On 13 Jul 2026, at 16:51, Petr Špaček <[email protected]> wrote:

>> If there was a really good use case for machine-parsing the information in 
>> the EXTRA-TEXT perhaps that would be convincing, but I can't really think of 
>> one.
> 
> For this specific case, say a diagnostic tool tools might provide detail than 
> 'AD=0, some NTA somewhere in effect'.
> 
> Instead if might say something like ... Answer
> wwww.example.com CNAME 1234.cdn.example
> 1234.cdn.example HTTPS ...
> has AD=0 because NTA is activa at cdn.example.com.
> 
> And this can be in French because the tool could ingest the EDE + domain name 
> in structured form and provide localized output.
> 
> Or the research stats could actually be made more reliable than hand-written 
> regexes.

Mmmmmmm. I sense this is a can of worms, but perhaps that's just because you 
mentioned human languages, which as we know are a gateway drug for talking 
about scripts.

The implementation we have live at Cloudflare does not mention the particular 
NTA that is in place. So for example the following example is less helpful than 
you had hoped for:

jabley@manta ~ % dig @1.1.1.1 ntamuch.org soa  

; <<>> DiG 9.20.24 <<>> @1.1.1.1 ntamuch.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58068
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 33: (a Negative Trust Anchor has been applied for this query (see RFC 
7646))
;; QUESTION SECTION:
;ntamuch.org. IN SOA

;; ANSWER SECTION:
ntamuch.org. 1800 IN SOA barbara.ns.cloudflare.com. dns.cloudflare.com. 
2407706086 10000 2400 604800 1800

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jul 13 17:11:49 CEST 2026
;; MSG SIZE  rcvd: 181

jabley@manta ~ % 

You can't tell from that response that the NTA is applied to the NTAMUCH.ORG 
zone (which is what is going on) or whether there's some other NTA installed at 
ORG (there isn't). Or maybe there could be NTAs installed at both for different 
reasons. Maybe that response could have been validated and would have been 
fine. All you know is that you have received a response for a name that is 
covered by an NTA.

I appreciate other implementations might return different information in there, 
including more helpful detail of the kind you suggest. I think there's some 
benefit in not over-specifying the message format, though. I don't know that 
it's reasonable to anticipate every element of data that anybody might want to 
see, or even to propose an optional schema if it turns out it doesn't suit some 
implementations.

The core goal with this was to give the system receiving a response that 
normally would have been suppressed due to validation some clue as to what is 
happening. I don't actually think we need any EXTRA-TEXT for that.

I'm interested to hear from others what they think about this. Babak and I will 
also be in Vienna and I think we're on one of the dnsop agendas, so maybe this 
is also a good question for the mic line.


Joe

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to