On Sun, Mar 17, 2024 at 9:08 AM John Levine <jo...@taugh.com> wrote:
> It appears that Dave Lawrence <t...@dd.org> said: > >Stephane Bortzmeyer writes: > >> > One current implementation does not differentiate DO=0 vs 1 and gives > the > >> > same NODATA answer for both cases. > >> > >> Yes. I see no practical problem with that but, from a philosophical > >> point of view, it disturbs me. Naive clients may make wrong > >> conclusions from the NODATA answer. > > > >Very much so, and not just naive programmatic clients but also > >non-naive real-life human clients. I myself have been misled by > >noerror/nodata where nxdomain would have been correct. It's > >frustrating. > > > >nxdomain is usefully distinct and auth servers really ought to be > >strongly encouraged to return it where applicable. > > We have an entire RFC 8020 about the difference and why it's important. > Yes, I agree with this of course. Compact Denial intentionally broke the NXDOMAIN signal. One of the main thrusts of this draft was to bring back the non-existence signal in the form of an authenticable record in the payload. The draft allows (but does not proscribe) NXDOMAIN to be inserted into the Rcode for non DNSSEC enabled responses. I guess the main reason for not being proscriptive was what I mentioned - there were deployments in the field that didn't. But I'm amenable to tightening up the language if there is consensus for it (and I'll also chat with the implementers). Since we also support signaled restoration of the NXDOMAIN RCODE field for DNSSEC enabled queries, I'm persuaded that we should probably close this divergence for non DNSSEC too. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
