On Tue, Aug 8, 2023 at 9:13 AM Edward Lewis <edward.le...@icann.org> wrote:
> On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis <edward.le...@icann.org> > wrote: > > >You've probably stumbled across Cloudflare's differential behavior for > DO=0 vs > > >DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned > > >NXDOMAIN response. With DNSSEC enabled queries, it provides the > > >Compact Answer NODATA response. > > > > Stumbled isn’t the right word - I purposely went looking for it, found it > as had I expected. This is what was “feared” in the section in “Protocol > Modifications for the DNS Security Extensions” titled “Including NSEC RRs > in a Zone“ [a.k.a. RFC 4035, 2.3] - the divergence of the unsecured and > secured view of a zone. > Ah, I stand corrected on "stumbling" :) Note however that Cloudflare quite deliberately implemented this differential behavior (to preserve NXDOMAIN visibility for pre DNSSEC clients I suspect). Some other implementations of Compact DoE return a uniform (NOERROR) RCODE for either case. So, I do not think this is a result of divergence in the contents of the signed vs unsigned zone. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
