[dns-operations] Cloudflare TYPE65283
Joe Abley
jabley at hopcount.ca
Mon Mar 27 10:14:55 UTC 2023
Hi Emmanuel,
On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com> wrote:
> Cloudflare start to return TYPE65283 in their NSEC records for "compact
> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
> It actually break "minimal lies" NXDOMAIN established decoding
> implementations.
> Does someone know the TYPE65283 usage/purpose in this context ?
If a compact negative response includes an NSEC RR whose type bitmap only includes NSEC and RRSIG, the response is is indistuishable from the case where the name exists but is an empty non-terminal. Adding a special entry in the type bitmap avoids that ambiguity and as a bonus provides an NXDOMAINish signal as a kind of compromise to those consumers who are all pitchforky about the RCODE. The spec currently calls that special type NXNAME.
https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
The spec is still a work in progress and the NXNAME type does not have a codepoint. I believe TYPE65283 is being used as a placeholder. I think Christian made a comment to that effect on this list last week, although I think he may not have mentioned the specific RRTYPE that was to be used.
If this has caused something to break, more details would be good to hear!
Joe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230327/d5b00d3d/attachment.html>
More information about the dns-operations
mailing list