Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies

Peter van Dijk <> Thu, 29 July 2021 18:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD5F73A1460 for <>; Thu, 29 Jul 2021 11:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m9OftQkTxgEI for <>; Thu, 29 Jul 2021 11:28:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B3183A1463 for <>; Thu, 29 Jul 2021 11:28:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 223A86A020; Thu, 29 Jul 2021 20:28:36 +0200 (CEST)
Received: from plato ([]) by with ESMTPSA id pWxqB1TzAmHOCwAA3c6Kzw (envelope-from <>); Thu, 29 Jul 2021 20:28:36 +0200
Message-ID: <>
From: Peter van Dijk <>
To: " WG" <>
Date: Thu, 29 Jul 2021 20:28:35 +0200
In-Reply-To: <>
References: <>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jul 2021 18:28:43 -0000

Hi Shumon,

On Tue, 2021-07-27 at 19:34 -0400, Shumon Huque wrote:
> Folks,
> While we have the attention of DNSOP folks this week, I'd like to ask for review of this draft (I meant to send it earlier in time for f2f discussion on Tuesday, but better late than never).
> Excerpt:
>                Empty Non-Terminal Sentinel for Black Lies
> Abstract
>    The Black Lies method of providing compact DNSSEC denial of existence
>    proofs has some operational implications.  Depending on the specific
>    implementation, it may provide no way to reliably distinguish Empty
>    Non-Terminal names from names that actually do not exist.  This draft
>    describes the use of a synthetic DNS resource record type to act as
>    an explicit signal for Empty Non-Terminal names and which is conveyed
>    in an NSEC type bitmap.

I have read the draft, and I believe I understand what the draft is doing. I have also read the Introduction and Motivation section. While it does contain some motivation, I do not think it contains enough motivation. One might argue that ENT/NXDOMAIN problems do not exist with these operators, precisely because they do Black Lies.

Furthermore, it looks like a trick that could only be relied on with specific operators (such as, for now, NS1) that have implemented it. There are plenty of differences between the implementations already. In fact, when promoting RFC8482, CloudFlare heavily argued how the difference between NODATA and NXDOMAIN is a very expensive one for them. So presumably, it would not make sense for them to implement this signal. Because of that, I wonder if it would not make more sense if the individual implementers/operators of things that are somewhat similar under the 'Black Lies'-umbrella document how they signal the difference between ENT and NXDOMAIN. (It would of course be fine if some of them agree on the signal).

I also hope, but want to say that out loud here, that there is no expection of -resolver- software to handle this signal in any special way.

Kind regards,
Peter van Dijk