Mark Andrews <ma...@isc.org> wrote: > Paul Wouters wrote: > > > and it fails when CNAME/DNAME is involved, as you also point out. > > It doesn't fail when a CNAME or a DNAME is involved. The data is > useful to validate the CNAME/DNAME and you just initiate more > queries to validate the target of the CNAME/DNAME.a
I think it is slightly more subtle than that. There is a big question about how much information about CNAME/DNAME validation chains should be returned in response to Paul's chain query, especially when the target of the CNAME is not under the known domain stated by the client. For instance I bet the client doesn't want to repeatedly receive validation chains for akadns.net, edgekey.net, akamaiedge.net just because they are quering for various names in .com. But if the server doesn't send all the validation chains, the client will require two round trips, just as it would if the server did not support chain queries. I would like to see more work done on reducing validation latency within the existing protocol, for iterative resolvers as well as forwarding resolvers, so we can get a better idea of when chain queries might help. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
