Add error failures to DNSSEC lookups

blip-0002.md

@@ -133,6 +133,7 @@ The following table contains tlv fields for use in onion messages as the payload
 |-------|-----------------------------|--------------------------------|
 | 65536 | `dnssec_query`              | [bLIP 32](./blip-0032.md)      |
 | 65538 | `dnssec_proof`              | [bLIP 32](./blip-0032.md)      |
+| 65550 | `dnssec_error`              | [bLIP 32](./blip-0032.md)      |
 
 #### `invoice_request`
 

blip-0032.md

@@ -32,6 +32,11 @@ Two new onion messages are defined, `dnssec_query` and `dnssec_proof`.
     * [`u16`:`proof_len`]
     * [`proof_len*byte`:`proof`]
 
+1. type: 65550 (`dnssec_error`)
+2. data:
+    * [`u8`:`domain_name_len`]
+    * [`domain_name_len*byte`:`domain_name`]
+
 Nodes which accept and reply to `dnssec_query`-containing onion messages from any sender:
  * SHOULD set the `dns_resolver` feature flag in their `node_announcement`.
 
@@ -50,11 +55,17 @@ Recipients of a `dnssec_query`-containing onion message:
    field at the start of a `DnssecChainExtension`).
  * SHOULD return the RFC 9102-formatted DNSSEC proof proving the resulting TXT records in a
    `dnssec_proof`-containing onion message to the sender using the provided `reply_path`.
+ If name resolution fails for any reason:
+   * SHOULD return a `dnssec_error` message.
 
 Senders of a `dnssec_proof`-containing onion message:
  * MUST set the `domain_name` to the `domain_name` included in the `dnssec_query`-containing onion
    message being responded to.
 
+Senders of a `dnssec_error`-containing onion message:
+ * MUST set the `domain_name` to the `domain_name` included in the `dnssec_query`-containing onion
+   message being responded to.
+
 Recipients of a `dnssec_proof`-containing onion message:
  * MUST validate all DNSSEC signatures to ensure any contained records are signed in an unbroken
    chain from the DNSSEC root trust anchor.