[dns-operations] Compact denial of existence (NODATA sentinel RRtype)
ietf-dane at dukhovni.org
Tue Apr 11 22:50:19 UTC 2023
> On 11 Apr 2023, at 9:57 am, Edward Lewis <edward.lewis at icann.org> wrote:
> Sure, the cost of replacing NSEC and NSEC3 would be another resource record type code roll
> (such as 5->8, RSA-SHA1 vs RSA-SHA1-NSEC3). But a new on-the-fly denial of existence might
> prove to be worth it in operations.
No such hefty investment is needed. All that's required is to invert the sentinel
RRTYPE from signalling NXDOMAIN to signalling "NODATA", with just "RRSIG" and "NSEC"
in the type bit signalling NXDOMAIN.
The reason to use the sentinel RRTYPE for NODATA, is that this provides sensible
semantics for responses to:
nodata.example. IN <sentinel> ?
This type can have a mandatory 0 length RDATA:
; The "" is cosmetic, no other payload is supported.
nodata.example. IN <sentinel> ""
nodata.example. IN RRSIG <sentinel> ...
This response is consistent with the (effectively NODATA) original response,
in that unmodified validating resolvers will find no issues with it, or
conflict with the original response.
On the other hand, promosing some sentinel RRTYPE with NXDOMAIN is problematic,
since there is no correct response to explicit query for that type.
That's all that's needed. Resolvers that wish to remap "RRSIG NSEC" -> NXDOMAIN to upstream
clients that sent DO=0 can do so, or not. Nothing breaks either way.
More information about the dns-operations