In message <alpine.lfd.2.10.1311122229110.31...@bofh.nohats.ca>, Paul Wouters w rites: > On Tue, 12 Nov 2013, Tony Finch wrote: > > >> Really? If I want to validate www.nohats.ca, and I don't have more than > >> the DS/DNSKEY of ca, how can I do this in one round trip without these > >> drafts? You mean just adding items in the additional section? > > > > No. Send the following separate queries concurrently: > > > > www.nohats.ca A > > www.nohats.ca AAAA > > www.nohats.ca DNSKEY > > www.nohats.ca DS > > nohats.ca DNSKEY > > nohats.ca DS > > > > I discussed this strategy in more detail in > > https://www.ietf.org/mail-archive/web/dnsext/current/msg13540.html > > Apart from being messy, it does not work if you want to query and > remember NS records (in case you have to switch from forwarding mode > to being a full recursor)
Garbage. There is absolutely nothing stopping you remembering NS records returned in the responses above. If you have to switch the NS records will be in the A response or not be available at all. > and it fails when CNAME/DNAME is involved, as you also point out. It doesn't fail when a CNAME or a DNAME is involved. The data is useful to validate the CNAME/DNAME and you just initiate more queries to validate the target of the CNAME/DNAME.a > If the chain gets longer, I guess you are also increasing the effects > of packet loss, as every single query has to return successfully. Which is why you do it over TCP and let the transport layer handle the retransmissions. > In general, we did not talk yet about putting other entries in the > additional section. Normally, validators strip those out, but if these > are DNSSEC validatable, it could accept these as well. In that way, > a query for bigsite.com could also send DNSSEC validatable data for > its CDN and/or advertisement providers. But that does really change the > semantics of what a dns query is really asking. > > Paul > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
