On Tue, 12 Nov 2013, Tony Finch wrote:
Really? If I want to validate www.nohats.ca, and I don't have more than
the DS/DNSKEY of ca, how can I do this in one round trip without these
drafts? You mean just adding items in the additional section?
No. Send the following separate queries concurrently:
www.nohats.ca A
www.nohats.ca AAAA
www.nohats.ca DNSKEY
www.nohats.ca DS
nohats.ca DNSKEY
nohats.ca DS
I discussed this strategy in more detail in
https://www.ietf.org/mail-archive/web/dnsext/current/msg13540.html
Apart from being messy, it does not work if you want to query and
remember NS records (in case you have to switch from forwarding mode
to being a full recursor) and it fails when CNAME/DNAME is involved,
as you also point out. If the chain gets longer, I guess you are also
increasing the effects of packet loss, as every single query has to
return successfully.
In general, we did not talk yet about putting other entries in the
additional section. Normally, validators strip those out, but if these
are DNSSEC validatable, it could accept these as well. In that way,
a query for bigsite.com could also send DNSSEC validatable data for
its CDN and/or advertisement providers. But that does really change the
semantics of what a dns query is really asking.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
