Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies

Shumon Huque <> Wed, 28 July 2021 11:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5AB683A09C3 for <>; Wed, 28 Jul 2021 04:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wiFCfnJbaE5v for <>; Wed, 28 Jul 2021 04:30:16 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 131F33A09B8 for <>; Wed, 28 Jul 2021 04:30:15 -0700 (PDT)
Received: by with SMTP id j2so2669271edp.11 for <>; Wed, 28 Jul 2021 04:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jxp22Ntzsd3xK3EkJTwaCEzTXvovpYIgrDhJhQhoOus=; b=svy+22nTf/lY2Pps1vep1+K2mO1Aja7lNf1Ic9kwyS6Bey7sL9wEI3XAKaPVpW362I Soyop55kOuCmrn/TFvy9qKgOfLeiqu2DvB9upSIbQgjMUxKdLRy+maW+zjk78Kcp6Q33 IJtBruu917H2JpoxoadeeEyksLvL+u1Ri+vidNVqcUhkm/QAz4IWEB0HF9UezuORknjh EY1ef/LN4wTq6I7pHm+VaIK+fVIlnR46/Y3KXLGcseKVbad353QTdStkBOmDWhQt8Rq6 tEOf57Rw+I5Zm4W6SqFGny/PPYhTN7Z7OHH/XUKMirJtJyxShPXVq7c6qutsP9eebdnJ y1Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jxp22Ntzsd3xK3EkJTwaCEzTXvovpYIgrDhJhQhoOus=; b=Y0a8uLdHxqb2EteN1p25xw3LEfq6su944T60llM0XS517ixhV4TGqRLGrs0j6gHmzV xn/ZV3Nx1fG6hp0KvKCS6fLrAt4z4hfioVeLkLVNLK+BRMgbEfHXBDx8mLJMLpjY9wdx vhc3scov9tbDl1XVvC82mChunvgA2Bl/wKFx5jihx38zEqSZ5sVfLikxObrxHf4UH0ty LcurhHEfaaY2fefi+AggOaiY3IeGz3l/pvAQJfJxOZFkSl3pJxnYI/t1NcBRcg+jOaSw Ae9KeOeOrQgXu/apVSZh6qCq4sJ0pT0KtU+aLf15mavZiTbr+rCU4I+OqdZICR2BxOGb HT5A==
X-Gm-Message-State: AOAM532v4czdjKsc/FJIm8LTw9U+4/iPQfb0Nsa8JmE1KBmr4EDYb7b0 OF9uq5Le0RYBc3NaDBpnEQrrO9g7dNwbSvIBQ28=
X-Google-Smtp-Source: ABdhPJxx5Ug+dxdv7xumjgSIUES8J8786loVh2A0ZGPl9qmPD0XcwpIRJHdsUrHGP1FQfLbLmFh25GlXNmQM4XKlgBw=
X-Received: by 2002:aa7:d841:: with SMTP id f1mr3088845eds.196.1627471813699; Wed, 28 Jul 2021 04:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Shumon Huque <>
Date: Wed, 28 Jul 2021 07:30:02 -0400
Message-ID: <>
To: Brian Dickson <>
Cc: " WG" <>
Content-Type: multipart/alternative; boundary="000000000000566c4805c82d4f92"
Archived-At: <>
Subject: Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 11:30:21 -0000

On Tue, Jul 27, 2021 at 8:46 PM Brian Dickson <>

> On Tue, Jul 27, 2021 at 4:35 PM Shumon Huque <> wrote:
>> Folks,
>> While we have the attention of DNSOP folks this week, I'd like to ask for
>> review of this draft (I meant to send it earlier in time for f2f discussion
>> on Tuesday, but better late than never).
> That's interesting, and I'm definitely in favor of continuing this work.
>  A couple of quick questions:
>    - Are there distinctions between NSEC and NSEC3, where ENTs and/or
>    negative proofs result in different response sets?
> I'm not sure I entirely understood your question, but for a specific
denial of existence mechanism (NSEC, NSEC3, NSEC/3 White Lies, Black Lies)
the response set should be the same. They will differ between those

In NSEC, an ENT response would contain 1 NSEC record that covers the ENT.

In NSEC3, the ENT response would contain 1 NSEC3 record that matches the
hash of the ENT.

In Blacklies, the ENT response contains 1 NSEC record that matches the ENT.

>    - Would it make sense to include the synthetic ENT RR as an actual RR
>    in the unsigned zones for such names (i.e. which, absent this record, would
>    be ENTs)?
So that you can easily distinguish ENTs in unsigned zones? I guess that
could be of possible use, but I'm not sure how compelling that would be.

For me, the goal of this draft is not necessarily to be able to detect ENTs,
but to precisely distinguish non-existent names from existing names (of
ENTs are a subset).

>    - Does it make sense to harmonize the resulting answers across both
>    "black lies" and pre-signed zones?
>       - That harmonizing might be advisable and/or necessary in a
>       multi-signer universe where one provider is statically signing, and the
>       other is dynamically signing
Harmonizing the negative answers? Despite their differences, mixing
denial of existence mechanisms in a multi-signer configuration shouldn't
any issues. We describe why in RFC 8901, Section 5, although mixing online
pre-computed signing will reduce the efficiency of mechanisms like
negative caching.

Presumably this would get added to the set of types that must not co-exist
> with any other type, and must be singletons.

Yes, but this is really a pseudo type that is only conveyed in a type
bitmap, and
ENTs by definition have no record types associated with them otherwise - the
answer section is always empty.

If you query the synthetic type itself, it returns a response without
itself in the
type bitmap (so it looks like a NODATA). That may seem mildly paradoxical in
that it denies its own existence. But we already have a precedent for such
in DNSSEC - recall the famed "NSEC3 paradox" :)