John Shaft

One more straw on the #DNS camel's back! Yay! \o/

Compact Denial of Existence in #DNSSEC is finally published as RFC 9824

Introducing a new EDNS header flag: CO (Compact Answers OK). As it's the first time a new one is added, it will surely run smoothly with stupid middleboxes \o/

It additionnaly adds more traditionnal stuff: a new RR (NXNAME) and a new EDE (Invalid Query Type)

https://www.rfc-editor.org/info/rfc9824

Information on RFC 9824 » RFC Editor

Sep 19, 2025 at 8:45pmWeb
Show threadPatrick MevzekSep 19, 2025
@shaft A new RR that can NOT appear in zone.
Show threadJohn ShaftSep 19, 2025

@pmevzek Indeed, only in NSEC type bit maps.

This one is already added in my little DoH client ;)

Show threadPatrick MevzekSep 19, 2025
@shaft "it will surely run smoothly with stupid middleboxes \o/". Not an issue. The flag is to enable "enhanced" treatment by server aka NSEC(NXNAME)+NXDOMAIN - which resolvers can't know about if not implementing this RFC - instead of the "usual" (actual) NSEC(stuff)+NODATA of current way to do "compact denial of existence", that is basically NXDOMAIN but without burden to find the "real" next name.