In message <b7c37977-a543-42e6-976a-e155102f9...@ogud.com>, Olafur Gudmundsson writes: > > > On Jan 27, 2015, at 4:07 AM, Marek Vavrua <marek.vavr...@nic.cz> wrote: > > > > Hi, I was wondering if there's any operational benefit in including > > records other than direct answer in resolver responses 1? For > > example, some recursors return authoritative NS records, SOA, glue, > > etc., and some servers scrub them. I have utterly failed in finding > > anything in the related RFCs to back this up, so I guess it's up to > > implementors. > > > > My reasoning is that the end user rarely needs anything but the direct > > answer, maybe additional address records for MX, NS and such. But > > presuming that most of the resolver traffic is 'IN A > > www.populardomain.com'-like, and a lot of traffic originates from > > congested mobile networks, it makes sense to me to return only minimal > > possible responses. > > Or am I wrong? > > > > - Marek > > > > 1 With the exception of SOA for NODATA and DNSSEC-related data. > > The original reasoning was to save round trip times and network > bandwidth. This does not hold any more as Dan Kaminsky showed us > how to use extra data as cache poison via forged answers. > > In DNS referrals there is value for extra data when name servers are > below the zone cut. In no other situation do I see value for > application to see anything that is not in the first NON-empty response > section. (i.e. either Answer or, Authority)
Actually there is value: * signed data is fine regardless of who gives it to you provided it validates as secure. * with cookies same zone data is perfectly fine even if not signed. > I have been thinking about shortening MX answers by only include the > Answer section and violate the server side processing of additional > records. If Florian and Tony are right then that should be harmless. "harmless" == "clients will cope" not "harmless" in terms of effiency. > As in most cases these days mail servers are outside the domain. Lots of mail is still self hosted and if you really care about your privacy you would self host. > Olafur > > > > > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
