diff --git a/blip-0002.md b/blip-0002.md index 72da790..aa1580e 100644 --- a/blip-0002.md +++ b/blip-0002.md @@ -133,6 +133,7 @@ The following table contains tlv fields for use in onion messages as the payload |-------|-----------------------------|--------------------------------| | 65536 | `dnssec_query` | [bLIP 32](./blip-0032.md) | | 65538 | `dnssec_proof` | [bLIP 32](./blip-0032.md) | +| 65550 | `dnssec_error` | [bLIP 32](./blip-0032.md) | #### `invoice_request` diff --git a/blip-0032.md b/blip-0032.md index 2b0fdd2..45bccd8 100644 --- a/blip-0032.md +++ b/blip-0032.md @@ -32,6 +32,11 @@ Two new onion messages are defined, `dnssec_query` and `dnssec_proof`. * [`u16`:`proof_len`] * [`proof_len*byte`:`proof`] +1. type: 65550 (`dnssec_error`) +2. data: + * [`u8`:`domain_name_len`] + * [`domain_name_len*byte`:`domain_name`] + Nodes which accept and reply to `dnssec_query`-containing onion messages from any sender: * SHOULD set the `dns_resolver` feature flag in their `node_announcement`. @@ -50,11 +55,17 @@ Recipients of a `dnssec_query`-containing onion message: field at the start of a `DnssecChainExtension`). * SHOULD return the RFC 9102-formatted DNSSEC proof proving the resulting TXT records in a `dnssec_proof`-containing onion message to the sender using the provided `reply_path`. + If name resolution fails for any reason: + * SHOULD return a `dnssec_error` message. Senders of a `dnssec_proof`-containing onion message: * MUST set the `domain_name` to the `domain_name` included in the `dnssec_query`-containing onion message being responded to. +Senders of a `dnssec_error`-containing onion message: + * MUST set the `domain_name` to the `domain_name` included in the `dnssec_query`-containing onion + message being responded to. + Recipients of a `dnssec_proof`-containing onion message: * MUST validate all DNSSEC signatures to ensure any contained records are signed in an unbroken chain from the DNSSEC root trust anchor.