[dns-operations] NS1 changing compact NSEC for NXNAME
Jan Včelák
jv at fcelda.cz
Tue Nov 7 23:05:41 UTC 2023
Dear colleagues,
NS1 is going to deploy a change to the Compact Denial of Existence in
DNSSEC which modifies the signaling for empty non-terminals and
non-existent names in the NSEC bit map.
Currently, we include TYPE65281 in the NSEC bit map for empty
non-terminals. We are going to remove that bit and instead set
TYPE65283 in the NSEC bit map for non-existent names.
If you prefer examples, we are moving from the following:
empty.example. IN NSEC \000.empty.example. RRSIG NSEC TYPE65281
nx.example. IN NSEC \000.nx.example. RRSIG NSEC
To the next:
empty.example. IN NSEC \000.empty.example. RRSIG NSEC
nx.example. IN NSEC \000.nx.example. RRSIG NSEC TYPE65283
The change is done in order to get the behavior aligned with
draft-ietf-dnsop-compact-denial-of-existence-01. The code point 65283
was chosen for consistency with Cloudflare's implementation and it
will be updated once the value for NXNAME is assigned.
Please, let me know if you have questions. We expect the change to be
deployed in the following weeks.
Best regards,
Jan Včelák (for NS1, an IBM Company)
More information about the dns-operations
mailing list