Paul Wouters <p...@nohats.ca> wrote:
> On Tue, 12 Nov 2013, Tony Finch wrote:
> >
> > Re. edns-tcp-chain-query and edns-tcp-keepalive, the minutes say "DNSSEC
> > requires many round-trips to get all the data needed to validation."
> >
> > This is probably a correct report of what was said but the statement is
> > wrong. In most situations you can get everything needed to validate in one
> > round trip; the problem is that current implementations do not do this.
>
> Really? If I want to validate www.nohats.ca, and I don't have more than
> the DS/DNSKEY of ca, how can I do this in one round trip without these
> drafts? You mean just adding items in the additional section?
No. Send the following separate queries concurrently:
www.nohats.ca A
www.nohats.ca AAAA
www.nohats.ca DNSKEY
www.nohats.ca DS
nohats.ca DNSKEY
nohats.ca DS
I discussed this strategy in more detail in
https://www.ietf.org/mail-archive/web/dnsext/current/msg13540.html
Note that any client which knows it should make a chain query can just as
well send the equivalent separate concurrent queries.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
