On Tue, Mar 28, 2023 at 12:16 AM Viktor Dukhovni <[email protected]> wrote:
> On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote: > > > > definitely does not exist. The issue I take it that the > > > sentinel-free: > > > > > > nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC > > > > > > which is an ENT per: > > > > > > > https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2 > > > > > > may for some time be ambiguous while still used for NXDOMAIN by earlier > > > implementations. For that, sure, we should encourage those > > > implementations to adopt whatever becomes the published protocol at > > > their earliest convenience (realistically a year or two based on prior > > > experience nagging operators to resolve compliance issues). > > > > Thank you Viktor. > > That confirm my understanding and my analysis in my answers to Petr. > > Do you have a list of operators that currently return just "RRSIG NSEC" > for ENTs? Do you what software they are running? > > On the fly signing with compact denial of existence is a bleeding-edge > behaviour, and one might expect that the software in question is not > ossified and operators might be proactive. So with a bit of luck any > ambiguity might be resolved before long. > > The only other option is to introduce yet another sentinel that signals > that the node in question is an ENT, so that the bare "RRSIG NSEC" > combination is ultimately never used. > > And, FWIW, the sentinel value will surely need to change (once a better > codepoint is assigned). The current 0xff03 is in the private-use range. > I've spoken to both NS1 and Route53, and both are amenable to adjusting their implementations to support the changes specified in draft-huque-dnsop-compact-lies. So, we hope that the end result will be that all known implementations of compact lies will support this common mechanism to distinguish NXDOMAIN vs ENT vs (other) NODATA. If there are any other implementations of Compact Lies that folks are aware of, we should make them aware of this and bring them into the fold. Shumon.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
