[dns-operations] Cloudflare TYPE65283

Shumon Huque shuque at gmail.com
Mon Mar 27 21:01:40 UTC 2023


On Tue, Mar 28, 2023 at 12:16 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Mon, Mar 27, 2023 at 04:28:30PM +0200, Emmanuel Fusté wrote:
>
> > > definitely does not exist.  The issue I take it that the
> > > sentinel-free:
> > >
> > >      nxdomain.example. IN NSEC \0.nxdomain.example. RRSIG NSEC
> > >
> > > which is an ENT per:
> > >
> > >
> https://datatracker.ietf.org/doc/html/draft-huque-dnsop-compact-lies-01#section-3.2
> > >
> > > may for some time be ambiguous while still used for NXDOMAIN by earlier
> > > implementations.  For that, sure, we should encourage those
> > > implementations to adopt whatever becomes the published protocol at
> > > their earliest convenience (realistically a year or two based on prior
> > > experience nagging operators to resolve compliance issues).
> >
> > Thank you Viktor.
> > That confirm my understanding and my analysis in my answers to Petr.
>
> Do you have a list of operators that currently return just "RRSIG NSEC"
> for ENTs?  Do you what software they are running?
>
> On the fly signing with compact denial of existence is a bleeding-edge
> behaviour, and one might expect that the software in question is not
> ossified and operators might be proactive.  So with a bit of luck any
> ambiguity might be resolved before long.
>
> The only other option is to introduce yet another sentinel that signals
> that the node in question is an ENT, so that the bare "RRSIG NSEC"
> combination is ultimately never used.
>
> And, FWIW, the sentinel value will surely need to change (once a better
> codepoint is assigned).  The current 0xff03 is in the private-use range.
>

I've spoken to both NS1 and Route53, and both are amenable to adjusting
their implementations to support the changes specified in
draft-huque-dnsop-compact-lies. So, we hope that the end result will be
that all known implementations of compact lies will support this common
mechanism to distinguish NXDOMAIN vs ENT vs (other) NODATA.

If there are any other implementations of Compact Lies that folks are aware
of, we should make them aware of this and bring them into the fold.

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230328/8200e45d/attachment.html>


More information about the dns-operations mailing list