<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<?rfc tocindent="yes"?>
<?rfc sort refs="yes"?>
<?rfc strict="yes"?>
<?rfc compact="yes"?>
<?rfc inline="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-farrokhi-dnsop-ede-nta-01" category="info" submissionType="IETF" updates="7646" tocInclude="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EDE NTA">Disclosure of Negative Trust Anchors in DNS Responses</title>
    <seriesInfo name="Internet-Draft" value="draft-farrokhi-dnsop-ede-nta-01"/>
    <author initials="B." surname="Farrokhi" fullname="Babak Farrokhi">
      <organization>Quad9</organization>
      <address>
        <email>babak@farrokhi.net</email>
      </address>
    </author>
    <author initials="J." surname="Abley" fullname="Joe Abley">
      <organization>Cloudflare</organization>
      <address>
        <email>jabley@cloudflare.com</email>
      </address>
    </author>
    <author initials="S." surname="Neuteboom" fullname="Sebastiaan Neuteboom">
      <organization>Cloudflare</organization>
      <address>
        <email>sebastiaan@cloudflare.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="19"/>
    <area>Internet</area>
    <keyword>DNS</keyword>
    <keyword>EDE</keyword>
    <keyword>Extended DNS Errors</keyword>
    <keyword>DNSSEC</keyword>
    <keyword>NTA</keyword>
    <keyword>Negative Trust Anchor</keyword>
    <abstract>
      <?line 33?>

<t>This document describes a mechanism for disclosing that a Negative
Trust Anchor (NTA) was in effect at the time that a DNS response
was generated, using an Extended DNS Error (EDE).</t>
    </abstract>
  </front>
  <middle>
    <?line 39?>

<section anchor="introduction">
      <name>Introduction</name>
      <t><xref target="RFC8914"/> defines the Extended DNS Error (EDE) mechanism, which
allows DNS servers to encode additional information in a DNS response.</t>
      <t><xref target="RFC7646"/> defines the concept of a DNSSEC Negative Trust Anchor
(NTA), an operational mechanism by which a validating resolver can
be configured to temporarily disable DNSSEC validation for a specific
domain to mitigate misconfiguration.</t>
      <t>A resolver with an NTA in effect might send a response that ordinarily
would have been suppressed because of validation failures.  This
document defines a new EDE that can be sent within a response to
indicate that the response was subject to an active NTA.</t>
      <t>A further goal of this signal is transparency toward end users and
applications.  <xref section="3.1" sectionFormat="of" target="RFC7646"/> recommends that operators
disclose the NTAs they have in place, for example on a website, and
notes that no in-band DNS signal exists to indicate that an NTA is in
effect.  This document defines that in-band signal, complementing such
out-of-band disclosure.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document assumes a familiarity with common DNS terminology as
described in <xref target="RFC9499"/>.</t>
    </section>
    <section anchor="extended-dns-error-code-33-negative-trust-anchor-in-effect">
      <name>Extended DNS Error Code 33 - Negative Trust Anchor in Effect</name>
      <t>A response that includes one or more instances of EDE 33 was
generated with a covering NTA <xref target="RFC7646"/> in effect.</t>
      <t>As with all EDEs, the EDE defined in this document is diagnostic;
per <xref section="6" sectionFormat="of" target="RFC8914"/> a client <bcp14>MUST NOT</bcp14> use its presence
to alter protocol processing.  The inclusion of this EDE in a
response does not change AD bit processing in DNS messages in any
way. The only purpose of this EDE is to provide additional information
about the response in which it appears.</t>
      <t>This EDE is intended for use in DNS responses sent by a DNS resolver
with a configured NTA and <bcp14>MUST NOT</bcp14> be included in other responses.
For example, a DNS response sent by an authoritative-only DNS server,
which does not perform validation and hence has no obvious use for
an NTA, <bcp14>SHOULD NOT</bcp14> include this EDE.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>An operator that applies an NTA <bcp14>SHOULD</bcp14> return this EDE in affected
responses, so that end users and applications can tell that the
response may not have been DNSSEC-validated.  This complements, and
does not replace, the disclosure recommended in <xref section="3.1" sectionFormat="of" target="RFC7646"/>.</t>
      <t>A response might be affected by an NTA for various reasons, not
just in the case where the QNAME is subordinate to the domain for
which an NTA has been configured. In any case, a resolver <bcp14>MAY</bcp14> include
this EDE on any responses while an NTA is in effect, regardless of
whether the presence of the NTA had a material effect on the contents
of the response.</t>
      <t>A resolver with multiple NTAs in place simultaneously <bcp14>MAY</bcp14> include
multiple instances of this EDE in a single response. Multiple
instances of this EDE in a single response might each have different
EXTRA-TEXT fields, for example, and might each describe a different
active, applicable NTA. When multiple instances of this EDE are
included in a response, the EXTRA-TEXT field in each instance <bcp14>MUST</bcp14>
be populated.</t>
      <t>The operator <bcp14>MAY</bcp14> use the EXTRA-TEXT field to add context about the
NTA, such as the name at which it was configured, the reason it was
put in place, a reference where more information can be found, or
its expected duration.  As noted in <xref section="2" sectionFormat="of" target="RFC8914"/>,
EXTRA-TEXT is intended for human consumption; operators <bcp14>SHOULD</bcp14> keep
it readable and <bcp14>SHOULD NOT</bcp14> include private or sensitive information.</t>
      <t>Structured data <bcp14>MAY</bcp14> be included in the EXTRA-TEXT field, as described
in <xref target="I-D.ietf-dnsop-structured-dns-error"/>. The JSON Names "d" and
"t" have been registered for this purpose (see <xref target="iana"/>) and should
be used and interpreted when used with this EDE as follows:</t>
      <table>
        <thead>
          <tr>
            <th align="left">JSON Name</th>
            <th align="left">Use and interpretation for this EDE</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">d</td>
            <td align="left">The domain name at which an active NTA has been configured</td>
          </tr>
          <tr>
            <td align="left">t</td>
            <td align="left">An indicative time at which this NTA might be expected to remain in place until</td>
          </tr>
        </tbody>
      </table>
      <t>Note that it is usual for NTAs to be configured in response to
unplanned events that have afflicted unaffiliated third parties,
and hence consumers of structured EXTRA-TEXT should be interpret
timestamps with generous flexibility.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>The IANA has made the following allocation in the "Extended DNS
Error Codes" registry under the "Domain Name System (DNS) Parameters"
registry group:</t>
      <table>
        <thead>
          <tr>
            <th align="left">INFO-CODE</th>
            <th align="left">Purpose</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">33</td>
            <td align="left">Negative Trust Anchor</td>
            <td align="left">This document</td>
          </tr>
        </tbody>
      </table>
      <t>The IANA is directed to update the "EXTRA-TEXT JSON Names" registry under
the "Domain Name System (DNS) Parameters) registry group by adding the
following entries:</t>
      <table>
        <thead>
          <tr>
            <th align="left">JSON Name</th>
            <th align="left">Field Meaning</th>
            <th align="left">Description</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">d</td>
            <td align="left">domain-name</td>
            <td align="left">A fully-qualified domain name (in the case of an IDN, containing only A-labels) with no trailing period</td>
            <td align="left">This document</td>
          </tr>
          <tr>
            <td align="left">t</td>
            <td align="left">timestamp</td>
            <td align="left">A timestamp in <xref target="RFC3339"/> format</td>
            <td align="left">This document</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>An NTA represents an intentional, operator-driven suspension of
DNSSEC validation for a specific domain. See <xref target="RFC7646"/> for further
discussion of the operational and security implications of NTAs.</t>
      <t>The presence of the EDE defined in this document does not modify
AD bit processing in DNS messages, and its only purpose is to provide
additional information.</t>
      <t>EDEs encoded in DNS messages carry no cryptographic signatures and
hence enjoy no inherent integrity protection.  An on-path attacker
could add, remove, or modify an EDE.  Clients that require integrity
protection of these signals should use a suitable mechanism, such
as TSIG <xref target="RFC8945"/>, SIG(0) <xref target="RFC2931"/> or an authenticated and
encrypted transport protocol such as DNS over TLS <xref target="RFC7858"/> or
DNS over HTTPS <xref target="RFC8484"/>.  See <xref section="6" sectionFormat="of" target="RFC8914"/> for
more discussion.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8914" target="https://www.rfc-editor.org/info/rfc8914" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8914.xml">
          <front>
            <title>Extended DNS Errors</title>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="E. Hunt" initials="E." surname="Hunt"/>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8914"/>
          <seriesInfo name="DOI" value="10.17487/RFC8914"/>
        </reference>
        <reference anchor="RFC7646" target="https://www.rfc-editor.org/info/rfc7646" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7646.xml">
          <front>
            <title>Definition and Use of DNSSEC Negative Trust Anchors</title>
            <author fullname="P. Ebersman" initials="P." surname="Ebersman"/>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="C. Griffiths" initials="C." surname="Griffiths"/>
            <author fullname="J. Livingood" initials="J." surname="Livingood"/>
            <author fullname="R. Weber" initials="R." surname="Weber"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>DNS Security Extensions (DNSSEC) is now entering widespread deployment. However, domain signing tools and processes are not yet as mature and reliable as those for non-DNSSEC-related domain administration tools and processes. This document defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling DNSSEC validation at specified domains.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7646"/>
          <seriesInfo name="DOI" value="10.17487/RFC7646"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9499" target="https://www.rfc-editor.org/info/rfc9499" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9499.xml">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="I-D.ietf-dnsop-structured-dns-error" target="https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-structured-dns-error-25" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnsop-structured-dns-error.xml">
          <front>
            <title>Structured Error Data for Filtered DNS</title>
            <author fullname="Dan Wing" initials="D." surname="Wing">
              <organization>Citrix Systems, Inc.</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Neil Cook" initials="N." surname="Cook">
              <organization>Open-Xchange</organization>
            </author>
            <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
              <organization>Orange</organization>
            </author>
            <date day="10" month="July" year="2026"/>
            <abstract>
              <t>DNS filtering is widely deployed for various reasons, including network security and policy enforcement. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-structured-dns-error-25"/>
        </reference>
        <reference anchor="RFC3339" target="https://www.rfc-editor.org/info/rfc3339" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3339.xml">
          <front>
            <title>Date and Time on the Internet: Timestamps</title>
            <author fullname="G. Klyne" initials="G." surname="Klyne"/>
            <author fullname="C. Newman" initials="C." surname="Newman"/>
            <date month="July" year="2002"/>
            <abstract>
              <t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3339"/>
          <seriesInfo name="DOI" value="10.17487/RFC3339"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8945" target="https://www.rfc-editor.org/info/rfc8945" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8945.xml">
          <front>
            <title>Secret Key Transaction Authentication for DNS (TSIG)</title>
            <author fullname="F. Dupont" initials="F." surname="Dupont"/>
            <author fullname="S. Morris" initials="S." surname="Morris"/>
            <author fullname="P. Vixie" initials="P." surname="Vixie"/>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <author fullname="O. Gudmundsson" initials="O." surname="Gudmundsson"/>
            <author fullname="B. Wellington" initials="B." surname="Wellington"/>
            <date month="November" year="2020"/>
            <abstract>
              <t>This document describes a protocol for transaction-level authentication using shared secrets and one-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client or to authenticate responses as coming from an approved name server.</t>
              <t>No recommendation is made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out-of-band mechanism.</t>
              <t>This document obsoletes RFCs 2845 and 4635.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="93"/>
          <seriesInfo name="RFC" value="8945"/>
          <seriesInfo name="DOI" value="10.17487/RFC8945"/>
        </reference>
        <reference anchor="RFC2931" target="https://www.rfc-editor.org/info/rfc2931" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2931.xml">
          <front>
            <title>DNS Request and Transaction Signatures ( SIG(0)s )</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="September" year="2000"/>
            <abstract>
              <t>This document describes the minor but non-interoperable changes in Request and Transaction signature resource records ( SIG(0)s ) that implementation experience has deemed necessary. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2931"/>
          <seriesInfo name="DOI" value="10.17487/RFC2931"/>
        </reference>
        <reference anchor="RFC7858" target="https://www.rfc-editor.org/info/rfc7858" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC8484" target="https://www.rfc-editor.org/info/rfc8484" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
      </references>
    </references>
    <?line 190?>

<section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors acknowledge review and ideas from Carlos Horowicz,
Mukund Sivaraman, Ralf Weber, Warren Kumari, Robert Edmonds and
Petr Spacek.</t>
    </section>
    <section anchor="examples">
      <name>Examples</name>
      <t>The following examples use configurations that exist in the DNS at
the time of writing. Readers from the future may need to create
analogous configurations in order to reproduce the results illustrated
here.</t>
      <t>These examples were constructed using the well-known diagnostic tool
dig, as shipped with BIND9. The output was hand-edited slightly to
fit the formatting constraints of the document, but is otherwise
consistent with the original output.</t>
      <section anchor="nta-in-effect-valid-dnssec-configuration">
        <name>NTA in Effect, Valid DNSSEC Configuration</name>
        <t>The zone NTAMUCH.ORG is signed and an intact and functional path
of trust exists back to the root zone. An NTA is applied to the
domain NTAMUCH.ORG at the security-aware, validating resolver
1.1.1.1, but not at 9.9.9.9.</t>
        <artwork><![CDATA[
jabley@manta ~ % dig @1.1.1.1 NTAMUCH.ORG SOA +nocd +rec +multiline

; <<>> DiG 9.20.24 <<>> @1.1.1.1 NTAMUCH.ORG SOA +nocd +rec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46491
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 33: (a Negative Trust Anchor has been applied for this query
;   (see RFC 7646))
;; QUESTION SECTION:
;NTAMUCH.ORG.           IN SOA

;; ANSWER SECTION:
NTAMUCH.ORG.  1800  IN  SOA barbara.ns.cloudflare.com. dns.cloudflare.com. (
                          2407706086 ; serial
                          10000      ; refresh (2 hours 46 minutes 40 seconds)
                          2400       ; retry (40 minutes)
                          604800     ; expire (1 week)
                          1800       ; minimum (30 minutes)
                        )

;; Query time: 21 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Jun 26 10:49:10 CEST 2026
;; MSG SIZE  rcvd: 181

jabley@manta ~ % dig @9.9.9.9 NTAMUCH.ORG SOA +nocd +rec +multiline

; <<>> DiG 9.20.24 <<>> @9.9.9.9 NTAMUCH.ORG SOA +nocd +rec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7960
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;NTAMUCH.ORG.           IN SOA

;; ANSWER SECTION:
NTAMUCH.ORG.  1767  IN  SOA barbara.ns.cloudflare.com. dns.cloudflare.com. (
                          2407706086 ; serial
                          10000      ; refresh (2 hours 46 minutes 40 seconds)
                          2400       ; retry (40 minutes)
                          604800     ; expire (1 week)
                          1800       ; minimum (30 minutes)
                        )

;; Query time: 11 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Jun 26 10:49:20 CEST 2026
;; MSG SIZE  rcvd: 105

jabley@manta ~ %
]]></artwork>
      </section>
      <section anchor="nta-in-effect-validation-problems-expected">
        <name>NTA in Effect, Validation Problems Expected</name>
        <t>The zone BROKEN.NTAMUCH.ORG is delegated from the NTAMUCH.ORG zone
using an accurate NS RRSet both sides of the zone cut, but a
deliberately-fabricated DS RRSet at on the parent side. Records in
the child zone are not signed, and no child zone DNSKEY RRSet exists.
The effect is a secure delegation to an unsigned zone, a broken
configuration that we should expect to trigger validation failures.</t>
        <t>The same NTA as described in the previous example is in place for
the domain NTAMUCH.ORG on the resolver 1.1.1.1, but, again, not
on the resolver 9.9.9.9.</t>
        <t>Both resolvers include different EDEs in the response which illustrate
the problem, but note the different RCODEs: with the NTA in place, the
1.1.1.1 resolver returns an answer with NOERROR while the 9.9.9.9
resolver with no applicable NTA correctly returns RCODE SERVFAIL.</t>
        <artwork><![CDATA[
jabley@manta ~ % dig @1.1.1.1 BROKEN.NTAMUCH.ORG SOA +nocd +rec +multiline

; <<>> DiG 9.20.24 <<>> @1.1.1.1 BROKEN.NTAMUCH.ORG SOA +nocd +rec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25660
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
;   broken.ntamuch.org.)
; EDE: 33: (a Negative Trust Anchor has been applied for this
;   query (see RFC 7646))
;; QUESTION SECTION:
;BROKEN.NTAMUCH.ORG.    IN SOA

;; ANSWER SECTION:
BROKEN.NTAMUCH.ORG.  300  IN  SOA maleah.ns.cloudflare.com. dns.cloudflare.com. (
                                2407705944 ; serial
                                10000      ; refresh (2 hours 46 minutes 40 seconds)
                                2400       ; retry (40 minutes)
                                604800     ; expire (1 week)
                                1800       ; minimum (30 minutes)
                                )

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Jun 26 10:52:52 CEST 2026
;; MSG SIZE  rcvd: 245

jabley@manta ~ % dig @9.9.9.9 BROKEN.NTAMUCH.ORG SOA +nocd +rec +multiline

; <<>> DiG 9.20.24 <<>> @9.9.9.9 BROKEN.NTAMUCH.ORG SOA +nocd +rec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20047
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;BROKEN.NTAMUCH.ORG.    IN SOA

;; Query time: 116 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Jun 26 10:53:05 CEST 2026
;; MSG SIZE  rcvd: 53

jabley@manta ~ %
]]></artwork>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAO1gXGoAA+1a23IbN7Z9x1fgKDVV0gnJIilKliiXE1qkYyUWJZPyeDJT
8wB2g2RHze5OX0RzrORbzrfMl83aG+gbRdmOncnMw2FSVhMNbAD7svbaAJvN
pki91Nd9uTf0EscPkyzWMpzLsV6o1LvT8ibOklQOAmcZxon0AjkcT+VEJ1EY
JDrZE2o2i/Udxo+GIzm+GewJN3QCtYJIN1bztDlXcRzeLr2mGyRh1NSubgap
arY7wlGpXoTxpg+x81AkaazVqi8vRjcvhBfFfZnS3N12+7TdFQov8S5IdRzo
VNzqzTqM3b6QsklL4r9Ygvn7LtWBq11e6wjTx0nebzo650es1PzdtU8ReX35
tzR0GhL/eBAVpA2ZhHEqYz1P8LhZ2Yc09hy8c8JVpOjBC3wv0H8XWeRid0lf
PjnuHQuVpRBrFusFaH3eki+sXtAopVHYczVTt/UXYbzoy9eZck/5q14pz+/L
GXX8NtdsixRSiP6+JQczX28qcr8PdaWNRZ77YebOfWi1KvcnRb2+dYqXLWys
FD1tQV9Zqmcht+bip3qmktRTKth6/YGZkmLM9mxN+CT9I9UM2oVShbhZeomE
W2UrGEK6OnFib6YTqeRKO0sVeMlKzsNYusaFvWAh06VK8T43r6iaV+7D+gdy
rdif9XyuHfRNMUbL1FvpfDB5T2w9XVDvhQ50DLO6DZnxLNjxQ1+T+/DDg5bZ
xMpzXV8L8RW5bhy6mZN6YSDE+/f/M3lxfnLa6f3yC3Y0h9MkvIDH5JVbbcj1
0nOWQvl+uE64X6LjO43wTEOpAyd0tVSu69FMyufgileKvtF+6/tq5UshP91a
ihMGjo5SggNlY+eReGGFNkgdYUQaMhOXxpltzJoh5075HkKDtIc1hD7WLR0V
iBnPN/cWACCXNpLqVRTGKvb8DRmWPDNfRC4DGyKzK5lE2vHmngPsgXsFNHyF
7WOpGg9JLpiHYMeDcuq1ly5p3dhAxRlW3mKZQquBC+G5qoxbAHS8gFcl1mHm
u3KpoI2Z1oFMsihC5wTrn2lHZQkjaXWxcH1sL2lJSS4tKi5ttK5koNcEY2Yu
6AWSaB0pL5StVy4nFIAmj1DUdCebFW/JX5Ns9hNtB+qAJIQSGQ47ZRXMsxgD
YrkIYSqsM6UgS7wFuwwcIFZBEiEoA2cDAWsVu5L0gV3B0VTgChVFPs2OndGO
3r+fanZuedjqkMCKV8UakY2duolVInsJwbINWc2Lx9LY8zZGqdhu5CtHN9jK
+p1aRfCBkJSw1rPES3WDFxKEqbaCgxCjmjO0mrgw29HvvCTl6KgrLLc74YAw
premkQ9MwwNy2UaugX1fUz/y5yRDVIZZ2gznpptbpNQWIcCNjldeEPrhYkOY
piWSmKQslsi9yzfTm72G+SvHV/w8Gb1+czEZDel5+nLw6lXxIGyP6curN6+G
5VM58vzq8nI0HprBaJW1JrF3Ofhxj7Un966uby6uxoNXe6TwtLZ5mJ+0NiNb
IPHCuwF+UsFsFoNdGvP8/Pqf/9fpSQMk3U7nFCa3ANd5QgC3XurAzBYG/sZ+
JUOTE2kVMy75Phw+8lLlI7GS9y7DdSDhoqS9//0baebvffl05kSd3jPbQBuu
NeY6qzWyzh62PBhslLijacc0hTZr7Vuarq938GPte673SuPTb4g9yGbn5Jtn
YjvvqSTBA4HEXK083wMIpRsDYBRdoaFmaelkDwxlbHLaO4WB2CN3JJtzyh6H
h49RIxIz4kixMFqBRi9w/AwTwsgI01iuwpgcJ0kV8khCkEDIBtnAJlHkUgvB
2APwmMKIQrKWkwpcJtxKbH94C6QlDZM0IdcEqvvQienZU4sgBN9wzgSgp4JV
xzlS2VSMdfgejcq9iwBPekAPgnaAoRaEpj7UjJYQ9DD06QEbJEbA8KGNJhKS
nwMrrZCcXBQqc0PoBNAlKUkuQNCGcualFVk52YbNE7XQTFZUgLSjNi2ehWMp
yuIoNJmmnIixDpLuvEepAIg7oKqeMzCBSdNYhwnMpGW90IolGGCHIUTOzJAq
nUhMskK+L2gG51lRGLlI8WRmQoRC0TOdexAbMeTsVAhuiRdlEmhssZhyVqiI
uTZghHy3yToqKVJDmA0Wyoc3kEqqWZoWtSRLIwtRJxnO7rwwS3i/6CxM2mjI
EhvyhRcm4Oi6qnChcywTxjDfE/hxUCRBm4som1J0m5xkZQNwsziouxCHgnYL
T6IyJDRCaglaVhM0c4lUI2pyqlB64kptWBclkzE8q2mVot08K5b5LjGpt9Bj
rG2qJocq816Z+XMEqpMEUYZ5qwYohoHBJfLtWuuSbsj37oB+ZBNUhQkGNGgR
4ifCKY5/kElFJIiyB399PR5csgeDExkKl3Jq4+Ua0kimtSzVzEPmZ3WUXtsC
jacgZPENw8YMkQS6514gCnOFpnMZHZAPClPlHRbaGui0AMfyEeykF6yc/Z/W
lyOPiXFt10bUFKEMzCSGY3hrGOTEPSUbCTugQva3qe8q81OPaBVzr5xxgeDQ
CxVo6BgBVN1cMaKG7DUPlQRffmVeeWkHiU8fZF1AKxiEPdP1sEnw0VSM/nIz
GTRv8EfOPe27SY0hGqJRGZ3nQMxRyjBsuJEHycyooCXfIvTlR/ZItWwVqkpS
btPR1vrYzLSSXByDHpU8URhlPkeYYYQFJpDGM0uLH4ijDOS6xszvAB05kguG
JaKhxJ9oKBXoVNoWsE5lQenODeseFEP2rYiytMK8aWusMSePJpvVy5rSVinz
MAsgEEFE2VK/i0zYunnZJeWAoWIbCLr1DNyoWnc74yyzleJwBBOKaPRZWUrk
kHmrdYQl0K5cNit5ww6ojmLvjkAAYhFdqCa8u9q+YJFpGqNe52wFGFRslK0s
tcs+zF4L4iUM8bpoDlueTuf2GCwpRFNDUxP3AgZyXv9+ejWWY0Vcb8/dY5zd
S/cq8AyoQEGjY6sV9sucB+wnWmM+TwXql18OePMg0ihUyd0yqk2pqUrniY2b
N4wIpZcnkM5nDH0h7stVSXkv3yS6Lqesxovx8h6jXFl87nlzFmzrjlmrTnfh
rhGWVoUNgryao3F8blPI4zWQqCKNFP6I2Ik1L6EAuwzlm08ziHGYl4Ye88Ys
yQCutCtTmnIpVFmVF9TK8SyAwIBIqL4j/DWi2G5IY4AZWkAW4JnoO69m6aGu
RpmdIvc3REk9jI9TJkd0lM5S9TVj1lpxJkgNgJhVZGkys2zKk3MfRfAM06Yb
ODYdRw3Ggy1WIt9/xW5joIg7kClWyjU4ZLyBz73w4BQnSvRur1pKiLKUSPas
t8Yb7Ny1GW1vaLyA3Wm6gS+v5D4GHshrFaMN20n2RDFwgS1E7IQX4xdXzfMr
9i55bV2+/rmXkwKx+Lu47zfLT+1L+ZFb7exvKFVKqbvLofut44L7ivK48IgL
tzNHwlZbpRnLaN9WlfhUVR3IuqqYK4H18zmoFqXdsMIYjrYVz/fyBaeVS60C
6nUvhwxejLA1fdZ0+VBl/Ue+bSHBvQWBJoMAx7KcZ76/af6McPOAoW4NJvar
lI4OIwN5MRw3OP+hEy2Zaf6g6auZ9qEO9n0w9zRWcHm8R5LwQlc+MNcWrNzL
IoBylKm0FBX04eEhHXGYVLFTKEUYElzGJfoO7k/YBMrMxC5l0s95zhQLjSKp
NV0kKT5ZTCLKUVxQio+dglrltbACXa+kqZ899+OTtywpi1RdO7vlvJFvwFtV
Cgm6HAIYWsKyzU0/WIkX1cIqBBHbiI+WvIbKEZ+o1bq1+lbsrm+xPjofsOfh
7oNi2lFxTGWPdOJNlIaLWEVIHeZkj6DWnHEaMNbBT+HGnC0umT2ytRasGzoE
MEyGGA50GTQjRbVumirnFnp2GKWxSKL4q5A4J5+NkAb4AgHVopTnfOpgM0as
f868WJeziHIWq2iqefkQMsnzALFF+ECGypdYT+W6gM8lAeQ304vv4A/fMNfq
HYFrSbTstw9sY/f0sAMnIV8yZTQ5pMN5inQBVZCqCMz4bJiuw4ojkJx0ko7p
IEfevJpasU9Ojk5YrChevry5uc5fn/ROesR8rLc+djBD1RlTz9Jv7RXLDHqm
eBs4t0G49rW7MBWqcVBzHABrlm+h3ztPr41vuZp4Thyu5LmKUbTKl2EMsHT+
0RCX2W1G3BE8EUirgoacKH8u3+qZjhvyLRwIofkDKGns4VWI1lSO3FVIx9yk
sGudxnIagWLc2tM2rk/swiqobNvZhLW7CusPfH6dZ1pSokpFcVkFNa3hI3z4
NAHnJc7A++GUnZEvmwpfmzTkgBiniBr4TrggarA1Ix29xJyoQ4YourPSeRmJ
ugg9fD+jqzk6hLDHszfskcVG1lQoEIVh4kKkx17KoYjQvt8kUwSVUznMFfpA
pIU9+PWiKKejzy/Gw1N73pWlVJxQCQPXdpsacY9uiU8kz6dbCjH3UktVCAb4
VN4sA3iYJjlI5YDUkLOMeR6fNa29RAvqTdza3rgYXIy9hUfwYhZAtvwqvzAa
2er9zwTG+f3UeVWjxtr/oDNRjLl8c/6ydTX5TtrLFsvHTQJQdA+Jb/MscCyi
EZZwGc+kw15kkMfnhxdxCDwl6S05KI4VzGGSa/vkt2LV6e11UQ7xTbVGUdvY
dTsnOi3+zyiL0BtjT1vmPyF+/fVXYa+NESIokn6Vf4JlF/JbO6427fRqIL8O
QseVX4MYya+50KYzbyHO5NOnz57JofcdpHfbrW7PNPxGOWdyv2MP+0xJeiDO
zuTCD2dkQKY0SV9+7axcav+OthMk8Nc+fW0+e/ZyNBiOJk+fNtGZMkdfvn4z
mvxIV/3ICxg6vhpNJleTBqCjL3vHvdMOjZz7aoGXP8cSfD5WZ2ZUX0Jtg/H0
7WhiHt/cvLyaXNzgRRvfhsMLcwWAl4KkXF3fyOvp6M3wCm5Er7AqJIjxtC/p
fhdr54FmsjOZuRFGdg+73GvUB2Hty331CFUtyqrcO4pq7edMxxvIkKZ6BOjy
zxYOWHXYyJSWIsslVSzRqjDvizHZhTdi9lwOqY/onLTb3J3tOFMx/letIGnV
fwrQku6Otn0hH/10e+0nT9rH7ZNjeUZO4Cn/A7077Tatgz5ndMwBj1/K/a5E
PgWG9o5RPQYZXS322hQohOsHH57cSmNxxMb3MdIK+dDI43bvxI49o0qVcj+8
eK317YeGdU4qE2Iab5WhNjj8hCkP2EivyeycRPqy25Er7JGap6PJn9lfTdx9
dXS4bx8P5P6b4TV7xduXo3Ffvog9+X0WyO4xlNnvnfY7bXkOd5HddveYul1O
EasXf0W5Fjt3iJfOCRx9N1xYSPliuPhtcv5YuHhyetzegRZgh384YPx7AvvJ
8ZP/D+zy818Q2J2HgW0jhALbPn48sLsfC+z20cPAZnLwGFkylet1HGLMKgE5
Ngd0Fbr0fHL1w2jc2mJNrvYpvVH+yllutQeNFMWvs5TjEA1Dl6mcTKY6lTNw
PUnleMEGeS4ns2xQCUzgzfhu2t8052oW2xpomItQxUUL/z4mZXFEvh3+LYcX
MDl3lh6qMhZOP6Mg4mQInylqqfIseyBifxj9aOUbltdiRdiLHeJ0hqzpXAGk
PfPDniywTJJE0ZH9LA5vdSBqxN5UEmudl4vmQJQZIujtQsc7f6hkrJHQKQzf
11bOtfN6JKJqiuqI/Ac6XuUeiaq2yhVb1VBWhcV1VJVmYhML9De3etsdS+75
nGyZtyfFyX5xycO/EMjXWf4yytyFFEWMMLtgPyxIrrYXmbmkCR06ArKLosC6
dHnrmfPkcqHm8pZPd0zSMKNtRrB3gSTL7kjUr+bgIfXLKZQyMR0n+ptCNC+L
A/vF4OLVJ9HxHVH1Jaz8N4n7Y7Nt9+h4Z7r9D5HzUz63pTC/9Pi06wBkHUae
jq7pIhdoYEtkAA0rh6OHWLmJ5xbMucqcZSuMF62DL6P8LJZp/ydS/odmZoLw
AWawc8RhlfivlK/V8vegB0WeBkk4Ou31PoUk2FT7+1KFYiGfSRjM5zNpg93R
Z5OH/LOjOmh/eXVw1MX/HyYR3d4OElGvDn4n9Poscf929Mpx3MJXu9178onw
1f5PwNdnQ0Wdnx5/OUE9Ouy3jz7sW0eHj/HTfwF8xHAOBTMAAA==

-->

</rfc>
