It appears that Peter Thomassen <pe...@desec.io> said: >So I take it that when the EDNS signal is there, compact DoE responses get an >NXDOMAIN code. > >In case the EDNS flag is not set, does the nameserver return (a) the compact >proof (with sentinel in >the type map) is sent, but with a NOERROR code, or (b) a classical proof (no >sentinel), but with an >NXDOMAIN code?
It would return a RFC 4470 white lie, which does the same thing but is larger since it needs two NSEC and two RRSIG records, one for the name and one to show there's no wildcard. I wouldn't try to get any more clever. Just use an EDNS0 code in the query to say compact results are OK. I'd like to use the same code to say this result is really NXDOMAIN, but those aren't signed, so I think we do need to assign a metatype to go in the signed NSEC. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
