In message <alpine.lsu.2.00.1312021619030.11...@hermes-2.csi.cam.ac.uk>, Tony
Finch writes:
>
> =E2=9C=85 Roy Arends <r...@dnss.ec> wrote:
Tony,
why did you put a WHITE HEAVY CHECK MARK before Roy's name?
As far as I can tell it is just extraneous noise being transmitted
for no benefit to anyone.
> > > So in the trace above, step (4) is redundant: the resolver already
> > > received the DS in step (1).
> >
> > In this case, yes. However, this is not consistent across all delegation
> > points. As an example, UK and ORG.UK are hosted from the same set of
> > servers. When asked about, say, nominet.org.uk, these servers will
> > happily refer to the proper nameservers, including a DS record for
> > nominet.org.uk. However, the validating resolver needs to explicitly ask
> > for the org.uk DS record, since it will not show up in any delegation
> > response.
>
> Happily, unless there is more than one intermediate zone cut, the resolver
> can get the missing DS and DNSKEY RRs in the same round trip it uses to
> follow the referral.
>
> But yes, that is a good example of a situation where you have to do
> at least a little upwards validation.
>
> > > Furthermore, the presence of the DS in the referral tells the resolver
> > > that it will need the DNSKEY RRset in order to validate the answer,
> so it
> > > should send queries (2) and (3) concurrently.
> >
> > Not necessarily. www.cam.ac.uk might be an unsigned delegation from the
> > signed cam.ac.uk, so this might be followed by another query (for the
> > www.cam.ac.uk record from the www.cam.ac.uk name servers).
>
> Right, but having got the referral at www.cam.ac.uk and the cam.ac.uk
> DNSKEY RRset, we are in the same situation as in my original example, but
> one level further down the hierarchy.
>
> > If that succeeds, only then validation makes sense.
>
> Why? Why not validate the chain of referrals as you follow them? The
> protocol is designed to support that otherwise it would not include the DS
> in the referral.
>
> Tony.
It's more because we havn't coded for it yet, especially the non
existence case, than anything else.
Mark
> --
> f.anthony.n.finch <d...@dotat.at> http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
> first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
> good,
> occasionally poor at first.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
