Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 3D568C14F69E
	for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 14:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.862
X-Spam-Level: 
X-Spam-Status: No, score=-0.862 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
	HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
	URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
	URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
	header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id IjsCuAuIqxyC for <dnsop@ietfa.amsl.com>;
	Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com
 [IPv6:2607:f8b0:4864:20::d32])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id 3EF5DC1D5C4B
	for <dnsop@ietf.org>; Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id
 ca18e2360f4ac-7f70a708f54so24438839f.3
        for <dnsop@ietf.org>; Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1721941540; x=1722546340; darn=ietf.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=LO6wdA14u3ah8SqaOWOC5GcMJrW9gsPT7bgWkJ5yDBE=;
        b=iW60zEg+w/eEjiOU5Ob7IuheVxcXzYS+EDUfqyBG3ONF8uNo+zMqCZO6OY/tcr74RG
         QNTpgwbJG6pfoN0POF6H1tndKtKWgFm6YidDUZw0XI68BL+pJAvApWLmdklGq5NPH3Iy
         vh+CF7Ym/2oGu674jhstANVtWl9KJe+H0dFXBzAUn/hAI3KAWZhKuuiPutFNmMRt6jon
         lCL3je8cFe6LsxEqs7CsnkfgmY/scyGRs7B9PQPtbZncO6OgrIPW7gezr/K5CPGk6PjP
         qO/m5Yzj1CqyXfnF2Bvkpt5XAHBbmW+qrOeYWOksHBfD+nk85Y7RipQnAww5FSvUs+C8
         dIOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721941540; x=1722546340;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=LO6wdA14u3ah8SqaOWOC5GcMJrW9gsPT7bgWkJ5yDBE=;
        b=UPng986SlsIwvpE1lev9pC5iQcvMA9ErN8UdzW01miAs9CdbD2BCNN66t+de+/50G7
         FPXNm4088mzd9FVVPfeItUgsaeLpHq/9By2D8V2kui6hAMGFQYcgXPbcwH+VV5kYJC35
         aERwqiH2HDYi1JV57yUy3Oiof10heaeoyBfBzv9mn/mf6qMfo+nYuts90nwNwP2Gp1XM
         abkaSJFpYGEviie71Ef3tTvXJzlmrQNNPYV2pyXlkYxSfAbFjs/7ZFJsJhirefVW8fM8
         l+5BJwrGC27RWvJBgOTeX15R/F7JB/i/Sa+o5AWjiQYjtSgJTx4ZMuoqCwFkQ6CSyg97
         qPGA==
X-Gm-Message-State: AOJu0YxTZEVs4tGuZICpyCOnl4G0KmdaICTsBdjaPirENfyxxwEiiJUc
	PG4j6N5uOjgq7fwVUuc2W+nKc9KejD6SoE6uQDCcwMAU7kRuV+OsDa/FJTEXtS7keobN03bNqvU
	oK8kq2pS7CL8Bk1z1gKdgzz+/ac90xbM2A4QReQ==
X-Google-Smtp-Source: 
 AGHT+IF4Y1Zy4+n8w8ajwHYPn7IaW6MLJ1F1lRmdvt6b0kG1gaNz4bs1gg2ehHuvqZGYg9qzLcmW1DPRwpSyOfX77r0=
X-Received: by 2002:a05:6602:6428:b0:804:f2be:ee21 with SMTP id
 ca18e2360f4ac-81f7bd00a4dmr642402539f.3.1721941540196; Thu, 25 Jul 2024
 14:05:40 -0700 (PDT)
MIME-Version: 1.0
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 25 Jul 2024 14:05:28 -0700
Message-ID: 
 <CAHPuVdVPXu_J=byYw+Seqd138rmeh0NW9Ov9XpCkua7-g=SFqg@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3dd25061e18c1fa"
Message-ID-Hash: 3LBDB37ASJ4NEJZVPSGFHMTR2NQZDNSX
X-Message-ID-Hash: 3LBDB37ASJ4NEJZVPSGFHMTR2NQZDNSX
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5BDNSOP=5D_Compact_Denial_of_Existence_updates?=
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/dnsop/VPPajm-VttvRmKsR4sGRJbXFLqQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

--000000000000d3dd25061e18c1fa
Content-Type: text/plain; charset="UTF-8"

DNSOP colleagues,

(Reference:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-compact-denial-of-existence-04
)

We didn't ask for IETF120 agenda time for Compact Denial of Existence
since we believe the spec is done, and we hope the chairs will see fit
to push out the WGLC notice soon.

A few updates on code point allocation: the draft had 3 actions for IANA:

1. Allocation of the NXNAME RR type code.
2. Allocation of the Invalid Query Type EDE (Extended DNS Error) code.
3. Allocation of the "CO" EDNS header flag (for signaled restoration of
  the NXDOMAIN RCODE).

The first two of these have been done: NXNAME (using the early allocation
process) has been allocated 128, the lowest number in the meta-type space.
Invalid Query Type has been allocated EDE code 30.

The third one requires Standards Action, so will need to await RFC
publication.

Christian Elmerot/Cloudflare and Jan Vcelak/NS1 are chatting about
a coordinated time (with likely pre-announcement to the DNS-OARC
dns-operations@ list) for switching their implementations of NXNAME
from the currently deployed private RR-type 65283 to 128.

In the meantime, for demonstration purposes, I have a test authority
server (using custom code) that implements NXNAME using 128, returns
the EDE code for explicit NXNAME queries, and implements NXDOMAIN
rcode restoration with the CO header flag. dig output follows ..

Shumon.


##
## Compact Denial NXDOMAIN response using RR type code 128 for NXNAME
##

$ dig +dnssec +nostats nxdomain.deleg.huque.com. A

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8779
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      A

;; AUTHORITY SECTION:
deleg.huque.com.        1800    IN      SOA     mname.deleg.huque.com.
hostmaster.huque.com. 1000000001 43200 3600 3628800 3600
deleg.huque.com.        1800    IN      RRSIG   SOA 13 3 3600
20240727194648 20240725194648 64677 deleg.huque.com.
qWrM+jRNrJ7ZZfwNT1Rc0FUd+STnr3u9WXE95LIbQgif1mcFHvEn8Wqy
EpC9o/xKmFQE+nc4O835/fp/UCVIdg==
nxdomain.deleg.huque.com. 3600  IN      NSEC    \
000.NxdoMaIN.dELeG.HuqUE.COm. RRSIG NSEC TYPE128
nxdomain.deleg.huque.com. 3600  IN      RRSIG   NSEC 13 4 3600
20240727194648 20240725194648 64677 deleg.huque.com.
Qfgq/DwYwKyvESavY3xRRW4dgeydOzeOGqBsOVgtcPYrK0pjERA9DEde
1T1oTey7hzGNSZfU7gyCP8qo2/WWyg==


##
## Response to explicit NXNAME query: FORMERR + Invalid Query Type EDE code
##

$ dig @3.216.78.182 +dnssec +nostats +norecurse nxdomain.deleg.huque.com.
TYPE128

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 7918
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 30: (Invalid Query Type)
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      TYPE128


##
## Signaled NXDOMAIN rcode restoration with "CO" (0x4000) EDNS header flag
##

$ dig @3.216.78.182 +ednsflags=0x4000 +dnssec +nostats +norecurse
nxdomain.deleg.huque.com. A

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55809
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; MBZ: 0x4000, udp: 1232
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      A

;; AUTHORITY SECTION:
deleg.huque.com.        3600    IN      SOA     mname.deleg.huque.com.
hostmaster.huque.com. 1000000001 43200 3600 3628800 3600
deleg.huque.com.        3600    IN      RRSIG   SOA 13 3 3600
20240725215435 20240723215435 64677 deleg.huque.com.
v9m25W6kcss92fLv10YBp/LLgyICeVZy4mubT65ohl4odEnpGWG2PM6/
ti68sWHAAu8knsPJrmyiOOV6Oc79jQ==
nxdomain.deleg.huque.com. 3600  IN      NSEC    \
000.nxdomain.deleg.huque.com. RRSIG NSEC TYPE128
nxdomain.deleg.huque.com. 3600  IN      RRSIG   NSEC 13 4 3600
20240725215435 20240723215435 64677 deleg.huque.com.
9srODFf4XjKIanzfEpfhIe90JADXoU08OMZvoal9Uww06AqBlTh0i8zc
lrLuK5XIQVUgup4VMBjkxtFErtcvFw==

--000000000000d3dd25061e18c1fa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">DNSOP colleagues,<br><br>(Reference: <a href=3D"https://da=
tatracker.ietf.org/doc/html/draft-ietf-dnsop-compact-denial-of-existence-04=
">https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-compact-denial-of-=
existence-04</a> )<br><br>We didn&#39;t ask for IETF120 agenda time for Com=
pact Denial of Existence<br>since we believe the spec is done, and we hope =
the chairs will see fit<br>to push out the WGLC notice soon.<br><br>A few u=
pdates on code point allocation: the draft had 3 actions for IANA:<br><br>1=
. Allocation of the NXNAME RR type code.<br>2. Allocation of the Invalid Qu=
ery Type EDE (Extended DNS Error) code.<br>3. Allocation of the &quot;CO&qu=
ot; EDNS header flag (for signaled restoration of<br>=C2=A0 the NXDOMAIN RC=
ODE).<br><br>The first two of these have been done: NXNAME (using the early=
 allocation<br>process) has been allocated 128, the lowest number in the me=
ta-type space.<br>Invalid Query Type has been allocated EDE code 30.<div><b=
r></div><div>The third one requires Standards Action, so will need to await=
 RFC publication.<br><br>Christian Elmerot/Cloudflare and Jan Vcelak/NS1 ar=
e chatting about<br>a coordinated time (with likely pre-announcement to the=
 DNS-OARC<br>dns-operations@ list) for switching their implementations of N=
XNAME<br>from the currently deployed private RR-type 65283 to 128.<br><br>I=
n the meantime, for demonstration purposes, I have a test authority<br>serv=
er (using custom code) that implements NXNAME using 128, returns<br>the EDE=
 code for explicit NXNAME queries, and implements NXDOMAIN<br>rcode restora=
tion with the CO header flag. dig output follows ..<br><br>Shumon.<br><br><=
br>##<br>## Compact Denial NXDOMAIN response using RR type code 128 for NXN=
AME<br>##<br><br>$ dig +dnssec +nostats <a href=3D"http://nxdomain.deleg.hu=
que.com">nxdomain.deleg.huque.com</a>. A<br><br>;; -&gt;&gt;HEADER&lt;&lt;-=
 opcode: QUERY, status: NOERROR, id: 8779<br>;; flags: qr rd ra ad; QUERY: =
1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>;=
 EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;<a href=
=3D"http://nxdomain.deleg.huque.com">nxdomain.deleg.huque.com</a>. =C2=A0 =
=C2=A0 =C2=A0IN =C2=A0 =C2=A0 =C2=A0A<br><br>;; AUTHORITY SECTION:<br><a hr=
ef=3D"http://deleg.huque.com">deleg.huque.com</a>. =C2=A0 =C2=A0 =C2=A0 =C2=
=A01800 =C2=A0 =C2=A0IN =C2=A0 =C2=A0 =C2=A0SOA =C2=A0 =C2=A0 <a href=3D"ht=
tp://mname.deleg.huque.com">mname.deleg.huque.com</a>. <a href=3D"http://ho=
stmaster.huque.com">hostmaster.huque.com</a>. 1000000001 43200 3600 3628800=
 3600<br><a href=3D"http://deleg.huque.com">deleg.huque.com</a>. =C2=A0 =C2=
=A0 =C2=A0 =C2=A01800 =C2=A0 =C2=A0IN =C2=A0 =C2=A0 =C2=A0RRSIG =C2=A0 SOA =
13 3 3600 20240727194648 20240725194648 64677 <a href=3D"http://deleg.huque=
.com">deleg.huque.com</a>. qWrM+jRNrJ7ZZfwNT1Rc0FUd+STnr3u9WXE95LIbQgif1mcF=
HvEn8Wqy EpC9o/xKmFQE+nc4O835/fp/UCVIdg=3D=3D<br><a href=3D"http://nxdomain=
.deleg.huque.com">nxdomain.deleg.huque.com</a>. 3600 =C2=A0IN =C2=A0 =C2=A0=
 =C2=A0NSEC =C2=A0 =C2=A0\<a href=3D"http://000.NxdoMaIN.dELeG.HuqUE.COm">0=
00.NxdoMaIN.dELeG.HuqUE.COm</a>. RRSIG NSEC TYPE128<br><a href=3D"http://nx=
domain.deleg.huque.com">nxdomain.deleg.huque.com</a>. 3600 =C2=A0IN =C2=A0 =
=C2=A0 =C2=A0RRSIG =C2=A0 NSEC 13 4 3600 20240727194648 20240725194648 6467=
7 <a href=3D"http://deleg.huque.com">deleg.huque.com</a>. Qfgq/DwYwKyvESavY=
3xRRW4dgeydOzeOGqBsOVgtcPYrK0pjERA9DEde 1T1oTey7hzGNSZfU7gyCP8qo2/WWyg=3D=
=3D<br><br><br>##<br>## Response to explicit NXNAME query: FORMERR + Invali=
d Query Type EDE code<br>##<br><br>$ dig @<a href=3D"http://3.216.78.182">3=
.216.78.182</a> +dnssec +nostats +norecurse <a href=3D"http://nxdomain.dele=
g.huque.com">nxdomain.deleg.huque.com</a>. TYPE128<br><br>;; -&gt;&gt;HEADE=
R&lt;&lt;- opcode: QUERY, status: FORMERR, id: 7918<br>;; flags: qr; QUERY:=
 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>=
; EDNS: version: 0, flags: do; udp: 1232<br>; EDE: 30: (Invalid Query Type)=
<br>;; QUESTION SECTION:<br>;<a href=3D"http://nxdomain.deleg.huque.com">nx=
domain.deleg.huque.com</a>. =C2=A0 =C2=A0 =C2=A0IN =C2=A0 =C2=A0 =C2=A0TYPE=
128<br><br><br>##<br>## Signaled NXDOMAIN rcode restoration with &quot;CO&q=
uot; (0x4000) EDNS header flag<br>##<br><br>$ dig @<a href=3D"http://3.216.=
78.182">3.216.78.182</a> +ednsflags=3D0x4000 +dnssec +nostats +norecurse <a=
 href=3D"http://nxdomain.deleg.huque.com">nxdomain.deleg.huque.com</a>. A<b=
r><br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 5580=
9<br>;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br><=
br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; MBZ: 0x4000, udp=
: 1232<br>;; QUESTION SECTION:<br>;<a href=3D"http://nxdomain.deleg.huque.c=
om">nxdomain.deleg.huque.com</a>. =C2=A0 =C2=A0 =C2=A0IN =C2=A0 =C2=A0 =C2=
=A0A<br><br>;; AUTHORITY SECTION:<br><a href=3D"http://deleg.huque.com">del=
eg.huque.com</a>. =C2=A0 =C2=A0 =C2=A0 =C2=A03600 =C2=A0 =C2=A0IN =C2=A0 =
=C2=A0 =C2=A0SOA =C2=A0 =C2=A0 <a href=3D"http://mname.deleg.huque.com">mna=
me.deleg.huque.com</a>. <a href=3D"http://hostmaster.huque.com">hostmaster.=
huque.com</a>. 1000000001 43200 3600 3628800 3600<br><a href=3D"http://dele=
g.huque.com">deleg.huque.com</a>. =C2=A0 =C2=A0 =C2=A0 =C2=A03600 =C2=A0 =
=C2=A0IN =C2=A0 =C2=A0 =C2=A0RRSIG =C2=A0 SOA 13 3 3600 20240725215435 2024=
0723215435 64677 <a href=3D"http://deleg.huque.com">deleg.huque.com</a>. v9=
m25W6kcss92fLv10YBp/LLgyICeVZy4mubT65ohl4odEnpGWG2PM6/ ti68sWHAAu8knsPJrmyi=
OOV6Oc79jQ=3D=3D<br><a href=3D"http://nxdomain.deleg.huque.com">nxdomain.de=
leg.huque.com</a>. 3600 =C2=A0IN =C2=A0 =C2=A0 =C2=A0NSEC =C2=A0 =C2=A0\<a =
href=3D"http://000.nxdomain.deleg.huque.com">000.nxdomain.deleg.huque.com</=
a>. RRSIG NSEC TYPE128<br><a href=3D"http://nxdomain.deleg.huque.com">nxdom=
ain.deleg.huque.com</a>. 3600 =C2=A0IN =C2=A0 =C2=A0 =C2=A0RRSIG =C2=A0 NSE=
C 13 4 3600 20240725215435 20240723215435 64677 <a href=3D"http://deleg.huq=
ue.com">deleg.huque.com</a>. 9srODFf4XjKIanzfEpfhIe90JADXoU08OMZvoal9Uww06A=
qBlTh0i8zc lrLuK5XIQVUgup4VMBjkxtFErtcvFw=3D=3D<br><div><br></div></div></d=
iv>

--000000000000d3dd25061e18c1fa--