[dns-operations] Cloudflare TYPE65283

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 27 15:09:35 UTC 2023


On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote:

> > definitely does not exist.  The issue I take it that the
> > sentinel-free:
> >
> >      nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
> >
> > which is an ENT per:
> >
> >      https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
> >
> > may for some time be ambiguous while still used for NXDOMAIN by earlier
> > implementations.  For that, sure, we should encourage those
> > implementations to adopt whatever becomes the published protocol at
> > their earliest convenience (realistically a year or two based on prior
> > experience nagging operators to resolve compliance issues).
>
> Thank you Viktor.
> That confirm my understanding and my analysis in my answers to Petr.

Do you have a list of operators that currently return just "RRSIG NSEC"
for ENTs?  Do you what software they are running?

On the fly signing with compact denial of existence is a bleeding-edge
behaviour, and one might expect that the software in question is not
ossified and operators might be proactive.  So with a bit of luck any
ambiguity might be resolved before long.

The only other option is to introduce yet another sentinel that signals
that the node in question is an ENT, so that the bare "RRSIG NSEC"
combination is ultimately never used.

And, FWIW, the sentinel value will surely need to change (once a better
codepoint is assigned).  The current 0xff03 is in the private-use range.

-- 
    Viktor.



More information about the dns-operations mailing list