Having read the draft… How does one distinguish a Empty Non-Terminal NODATA response from an NXDOMAIN response, solely by looking at the NSEC or NSEC3 records.
There is an attack vector where an RCODE0 can be replaced by RCODE3 while keeping the rest of the response completely intact, causing an aggressive use enabled cache to deny existing records. These kind of subtleties aren’t described in the draft, as far as I can tell. Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop