Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies

"Hollenbeck, Scott" <> Wed, 28 July 2021 12:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0BFAC3A0C4D for <>; Wed, 28 Jul 2021 05:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ORjT8nPoTSWJ for <>; Wed, 28 Jul 2021 05:18:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 612623A0C4A for <>; Wed, 28 Jul 2021 05:18:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; l=11028; q=dns/txt; s=VRSN; t=1627474717; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=vVIvUn0v8QcztzRBS/Ty9+ut1CgqIsPLtLuF7zUyDAo=; b=JvT+vYJXExbRTAJTXGxexeT6u4SfjOCzTY+8HxPianwJhr0ry4xpnZTL noVIJMBZi6oXg7itphQQYwFWuWCJEpBbEwkgj+lsJYcaoCrOfyGw1vv1m h0Yjv4wStb1yGkuTQVQJxep3KGAg8Tz2o2rjpPZGgFRAay2dygG6S053V xtIeC06jmsTz7E9LsKwLHvvFiqCPWWwuBMQvl4Lhs1n3amu6uhLoBfTfA BxKXxEmRGsQ3FE8dHCuzGgmO0ZxG7aXqQhJIZ3PRMRmMarvTvfdq2XZOA ABEAi+3x2OsFahwXwtybdKP0sqv9ST7mX1Qn8Mu1Een1w27v+Uefl6THN Q==;
IronPort-SDR: IUrH0KeGV4/juf+JU9JzaHeqMH0z15JqwWmUtdo4g4Y7QYo+/2T0KOiGG3sqm7wD5CiQBS/9hq lIpWQ/FcMpw56zux+5sJzZzQULJmZB8WT3a4XvbUp33CvCT/r9gEYZdqBqva5Nx1Vu+akv2ROr 7pSVv1QG1Hi3MPEkzJmRB4rZzOCtdlX28FQA98C7K59BaW4Pvo9hIR93Yj+RUvLDJiCbYaEE+W dejy9dH6X6ov0qh090/Guym1XR2mvUzeR6BOME2ZtoTIpSLsYsU70bFXa3GajbiUys69tD6Kwg bbo=
IronPort-HdrOrdr: A9a23:OQ10pq3/Rr8E7px+o6ZK+gqjBIckLtp133Aq2lEZdPUMSL38qy ncpoV+6faUskdoZJhOo7G90cW7K080sKQFg7X5Xo3SJzUO2lHJEGgK1+KLqAEIWReOldK1vp 0NT0EKMrPN5C9B4voSjjPULz9q+qjhzEnhv5a5855Cd3ASV51d
X-IronPort-AV: E=Sophos;i="5.84,276,1620691200"; d="scan'208,217";a="9724508"
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Wed, 28 Jul 2021 08:18:32 -0400
Received: from ([fe80::7c0a:1cc:5def:9dde]) by ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.2242.012; Wed, 28 Jul 2021 08:18:32 -0400
From: "Hollenbeck, Scott" <>
To: "" <>, "" <>
Thread-Topic: [EXTERNAL] [DNSOP] Empty Non-Terminal sentinel for Black Lies
Thread-Index: AQHXg0Ad9opVlZ6mM0+7+6ZiCnaBHatYTj+A
Date: Wed, 28 Jul 2021 12:18:32 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_9982669d5cb245d692824bc1440d8496verisigncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 12:18:40 -0000

From: DNSOP <> On Behalf Of Shumon Huque
Sent: Tuesday, July 27, 2021 7:35 PM
To: WG <>
Subject: [EXTERNAL] [DNSOP] Empty Non-Terminal sentinel for Black Lies

Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


While we have the attention of DNSOP folks this week, I'd like to ask for review of this draft (I meant to send it earlier in time for f2f discussion on Tuesday, but better late than never).<>


               Empty Non-Terminal Sentinel for Black Lies


   The Black Lies method of providing compact DNSSEC denial of existence
   proofs has some operational implications.  Depending on the specific
   implementation, it may provide no way to reliably distinguish Empty
   Non-Terminal names from names that actually do not exist.  This draft
   describes the use of a synthetic DNS resource record type to act as
   an explicit signal for Empty Non-Terminal names and which is conveyed
   in an NSEC type bitmap.

[SAH] Something to consider:

“The “black lies” term may get called into question.