Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt

[Stephane Bortzmeyer <bortzmeyer@nic.fr>]

On Mon, Mar 04, 2024 at 02:15:55PM -0800,
 internet-drafts@ietf.org <internet-drafts@ietf.org> wrote 
 a message of 48 lines which said:

> Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-03.txt is now
> available. It is a work item of the Domain Name System Operations (DNSOP) WG
> of the IETF.

I just implemented it at the IETF 119 hackathon in Brisbane
(programming details at the end), on an authoritative-only server. I
think I have done everything that's in the draft, including the EDNS
signaling (new flag CO).

This was quite simple and the draft is enough to guide the
implementor. I find the draft clear and useful.

Among the questions raised:

* is there an EDE which is recommended when replying to an
explicit request for a meta-type (like QTYPE=NXNAME)? The draft says
to set the rcode to FormErr but does not discuss EDE.

* the draft does not discuss the consequences of compact denial for
synthesis of negative answers by a resolver (RFC 8020 and 8198).

* [this one is outside the scope of the draft] Is it
reasonable/legitimate to reply NODATA for a non-existing name when
the client did not set the DO flag, or even when it did not use EDNS?

Programming details: the change was made on the Drink authoritative
dynamic server <https://framagit.org/bortzmeyer/drink/>. Since Drink
only has dynamic signing, it implemented the white lies of RFC
4470. Adding compact denial was mostly removing code since, for the
authoritative name server, compact denial is simpler than white
lies. But it challenged some assumptions in the code (for instance
that the rcode, once set, is not changed during processing of the
request) and, in the case of Drink, required changes in several
places. The code is in the branch compact-denial 
<https://framagit.org/bortzmeyer/drink/-/tree/compact-denial?ref_type=heads>.