On Tue, Aug 8, 2023 at 11:50 AM Paul Wouters <p...@nohats.ca> wrote:
> On Tue, 8 Aug 2023, Ben Schwartz wrote: > > > If this is correct, then I'm not sure the complexity of solving the ENT > problem is worthwhile. > I'm not sure which "ENT" problem Ben is referring to solving here. The draft proposes ways to precisely identify NXDOMAIN in this system (which involves the ability to distinguish them from ENTs). At $dayjob, I had to add bogus TXT records to our zones because of ENT > issues with Amazon Route53, which Amazon knows about and has refused to > fix for years. > > Fixing the ENT problem (somewhere) is useful. It causes issues that are > hard to debug for non-DNS (and most DNS) people. This seems more > important to me that packet size. > Paul - your ENT issue is a bit different, which is that some implementations incorrectly return NXDOMAIN responses for Empty Non-Terminal names. Amusingly, Amazon's DNSSEC implementation (which is Compact DoE) did in fact address that problem because there are no NXDOMAINs returned ever! :) So, another way you could solve that problem is by signing your Route53 zones! Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
