[dns-operations] Cloudflare TYPE65283

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 27 14:15:14 UTC 2023


On Mon, Mar 27, 2023 at 03:27:34PM +0200, Emmanuel Fusté wrote:

> If Cloudflare switch to this draft for the ENT case too, it will became 
> as worse as Route53 and only NS1 will give distinguishable real NXDOMAIN.
> Or ALL compact lies response implementer should switch to this new draft 
> and be known to have switched.
> 
> I am missing something? (truly possible :-) )

To clarify, it isn't the new 0xff03 sentinel RRTYPE that hinders
distinguishing NXDOMAIN from NODATA responses (once the codepoint is
recognised).  If you see:

    nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC TYPE65283

you know that "nxdomain.example." definitely does not exist.  The issue
I take it that the sentinel-free:

    nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC

which is an ENT per:

    https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2

may for some time be ambiguous while still used for NXDOMAIN by earlier
implementations.  For that, sure, we should encourage those
implementations to adopt whatever becomes the published protocol at
their earliest convenience (realistically a year or two based on prior
experience nagging operators to resolve compliance issues).

-- 
    Viktor.



More information about the dns-operations mailing list