diff --git a/draft-ietf-dnsop-compact-denial-of-existence.xml b/draft-ietf-dnsop-compact-denial-of-existence.xml index 7c4df30..7834a72 100644 --- a/draft-ietf-dnsop-compact-denial-of-existence.xml +++ b/draft-ietf-dnsop-compact-denial-of-existence.xml @@ -348,8 +348,9 @@
Response Code Restoration - For non-existent names, implementations should try wherever - possible, to preserve the response code value of 3 (NXDOMAIN). + For non-existent names, implementations SHOULD try, whenever + possible, to use response code 3 (NXDOMAIN), as is consistent with + client expectations when the NXNAME signal is not understood. This is generally possible for non-DNSSEC enabled queries, namely those which do not set the DNSSEC_OK EDNS flag (DO bit). For such queries, authoritative servers implementing Compact Denial @@ -453,17 +454,8 @@ - This paragraph is updated to the following: + This paragraph is removed. - Note: as a practical matter, no known resolver insists that pseudo-types must be clear in the NSEC type bitmap, so this @@ -490,13 +482,13 @@ - This paragraph is updated to the following:: + This paragraph is updated to the following:
  • - An NSEC record (and its associated RRSIG RRset) MUST NOT be the only + An NSEC record (and its associated RRSIG RRset) SHOULD NOT be the only RRset at any particular owner name. That is, the signing process - MUST NOT create NSEC or RRSIG RRs for owner name nodes that were not + SHOULD NOT create NSEC or RRSIG RRs for owner name nodes that were not the owner name of any RRset before the zone was signed. The main reasons for this are a desire for namespace consistency between signed and unsigned versions of the same zone and a desire to reduce @@ -512,7 +504,7 @@
-
+
Implementation Status Cloudflare, NS1, and Amazon Route53 currently implement the