Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies

Ralf Weber <> Wed, 28 July 2021 11:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A24B13A0A4F for <>; Wed, 28 Jul 2021 04:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kBWbaDQizc15 for <>; Wed, 28 Jul 2021 04:42:59 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:a0:322c::25:42]) by (Postfix) with ESMTP id 9A9F03A0A4E for <>; Wed, 28 Jul 2021 04:42:59 -0700 (PDT)
Received: by (Postfix, from userid 107) id 3D6395F42371; Wed, 28 Jul 2021 11:42:58 +0000 (UTC)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 739A85F402E7; Wed, 28 Jul 2021 11:42:57 +0000 (UTC)
From: Ralf Weber <>
To: Shumon Huque <>
Cc: WG <>
Date: Wed, 28 Jul 2021 13:42:47 +0200
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 11:43:02 -0000


On 28 Jul 2021, at 1:34, Shumon Huque wrote:

>    The Black Lies method of providing compact DNSSEC denial of existence
>    proofs has some operational implications.  Depending on the specific
>    implementation, it may provide no way to reliably distinguish Empty
>    Non-Terminal names from names that actually do not exist.  This draft
>    describes the use of a synthetic DNS resource record type to act as
>    an explicit signal for Empty Non-Terminal names and which is conveyed
>    in an NSEC type bitmap.
Hmm I may be sleep deprived, but the way I read this is that instead of
giving back NoError/NoData and a standard NSEC responses I now have to
give back an additional record type, so that some client can distinguish that
as not being NXDomain, which according to the answer it never was?

Does this mean we would have to change all existing authoritative server
to add this record type to signal an empty non terminal responses?

So long
Ralf Weber