[dns-operations] Cloudflare TYPE65283

Emmanuel Fusté manu.fuste at gmail.com
Mon Mar 27 14:28:30 UTC 2023


Le 27/03/2023 à 16:15, Viktor Dukhovni a écrit :
> On Mon, Mar 27, 2023 at 03:27:34PM +0200, Emmanuel Fusté wrote:
>
>> If Cloudflare switch to this draft for the ENT case too, it will became
>> as worse as Route53 and only NS1 will give distinguishable real NXDOMAIN.
>> Or ALL compact lies response implementer should switch to this new draft
>> and be known to have switched.
>>
>> I am missing something? (truly possible :-) )
> To clarify, it isn't the new 0xff03 sentinel RRTYPE that hinders
> distinguishing NXDOMAIN from NODATA responses (once the codepoint is
> recognised).  If you see:
>
>      nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC TYPE65283
>
> you know that "nxdomain.example." definitely does not exist.  The issue
> I take it that the sentinel-free:
>
>      nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
>
> which is an ENT per:
>
>      https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
>
> may for some time be ambiguous while still used for NXDOMAIN by earlier
> implementations.  For that, sure, we should encourage those
> implementations to adopt whatever becomes the published protocol at
> their earliest convenience (realistically a year or two based on prior
> experience nagging operators to resolve compliance issues).
>
Thank you Viktor.
That confirm my understanding and my analysis in my answers to Petr.

Emmanuel.



More information about the dns-operations mailing list