> Olafur Gudmundsson <mailto:o...@ogud.com> > Tuesday, January 27, 2015 1:22 PM > > The original reasoning was to save round trip times and network > bandwidth. > This does not hold any more as Dan Kaminsky showed us how to use extra > data as > cache poison via forged answers. > > In DNS referrals there is value for extra data when name servers are > below the zone cut. > In no other situation do I see value for application to see anything > that is not > in the first NON-empty response section. (i.e. either Answer or, > Authority) > > I have been thinking about shortening MX answers by only include the > Answer section and > violate the server side processing of additional records. If Florian > and Tony are right then that should be harmless. As in most cases > these days mail servers are outside the domain.
i'm fine with additional data that's within the bailiwick of a referral, but also, with data whose owner name matches the qname. so, including AAAA as additional data for QTYPE=A, and including A as additional data for QTYPE=AAAA, has no "kaminsky problem", and could save round trips. note, it has to match the QNAME, not the final owner of a CNAME chain, to qualify for this treatment. -- Paul Vixie
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
