Moin! On 28 Jul 2021, at 1:34, Shumon Huque wrote:
> The Black Lies method of providing compact DNSSEC denial of existence > proofs has some operational implications. Depending on the specific > implementation, it may provide no way to reliably distinguish Empty > Non-Terminal names from names that actually do not exist. This draft > describes the use of a synthetic DNS resource record type to act as > an explicit signal for Empty Non-Terminal names and which is conveyed > in an NSEC type bitmap. Hmm I may be sleep deprived, but the way I read this is that instead of giving back NoError/NoData and a standard NSEC responses I now have to give back an additional record type, so that some client can distinguish that as not being NXDomain, which according to the answer it never was? Does this mean we would have to change all existing authoritative server to add this record type to signal an empty non terminal responses? So long -Ralf —-- Ralf Weber _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
