On 3/15/23 13:48, Shumon Huque wrote:
So, if a resolver sends EDNS CompactAnswersOK signal to an authority server,
which returns a NODATA+NXNAME proof + RCODE=3 response, then the resolver would
have to intelligently manage that answer in its cache. To downstream DO=1
queriers that also set
I think it's worth taking a step back though and asking a larger question:
if we are restoring the NXDOMAIN signal with the NXNAME pseudo type in the
NSEC record of NODATA responses, why do we also need to restore NXDOMAIN
into the RCODE field?
Because a bazillion existing clients expect to find
I’ve reviewed the changes as well. They look good to me. Thanks to everyone
involved to help move this forward!
Best,
Chris
> On Mar 11, 2023, at 7:16 PM, Paul Hoffman wrote:
>
> On Mar 11, 2023, at 12:44 PM, Tim Wicinski wrote:
>> Because of this, we're starting a week Working Group Last C
Hi Shumon,
> Currently, the focus of this draft is to more surgically deal with NXDOMAIN
> visibility in Compact Answers (formerly Black Lies). Most customers of these
> implementations today are enterprises, application service providers, and
> other non-TLDs that appear to be comfortable with
Thanks Johan for bringing up this topic.
Currently, the focus of this draft is to more surgically deal with NXDOMAIN
visibility in Compact Answers (formerly Black Lies). Most customers of
these implementations today are enterprises, application service providers,
and other non-TLDs that appear to
Sorry, I don't follow.
The whole point of the conditional behavior based on the EDNS signal, is to
allow RCODE replacement without causing SERVFAIL. Perhaps I have not
clearly described the details, and I also should write it up more
precisely. I'll also wait for your write-up.
Shumon.
On Wed, M
Now it sounds like NXDOMAIN turns into SERVFAIL. When I have a decent keyboard
I'll suggest a way this might not break unmodified downstream clients. Sent
from my Galaxy
Original message From: Shumon Huque Date:
3/15/23 09:18 (GMT-05:00) To: John Levine Cc:
dnsop@ietf.org S
Hi Shumon and Christian,
As one of the authors of RFC 4470 I most certainly care about this topic.
However, to my mind the major issue isn’t so much optimising the amount of work
done at the edge when generating the negative response. Nor is it the size of
the response. Instead my view is that
Only for Compact Answers, otherwise downstream validators may treat the
response as unvalidatable because the rcode doesn't match the DNSSEC proof.
So, I actually see this is unbreaking things.
I think it's worth taking a step back though and asking a larger question:
if we are restoring the NXDOM
Wait, so if my cache does this and I change nothing, it silently turns NXDOMAIN
into NOERROR? That is badly broken.Sent from my Galaxy
Original message From: Shumon Huque Date:
3/15/23 07:48 (GMT-05:00) To: Ralf Weber Cc: John R Levine
, dnsop@ietf.org, pe...@desec.io Subjec
On Wed, Mar 15, 2023 at 2:01 AM Ralf Weber wrote:
> Moin!
>
> On 14 Mar 2023, at 22:57, John R Levine wrote:
>
> >> John it won’t work with chained validators.
> >
> > How about if I only send a "lie to me" option upstream if I get one from
> my client? I realize this means takeup will be pretty
11 matches
Mail list logo