In message <87fvmsd0nk....@mid.deneb.enyo.de>, Florian Weimer writes: > * Stephane Bortzmeyer: > > > On Sat, Mar 08, 2014 at 06:07:48PM +0100, > > Florian Weimer <f...@deneb.enyo.de> wrote > > a message of 17 lines which said: > > > >> > It is. Section 2.2.2 > >> > >> Can you quote it here? > > > > 2.2.2. In the authoritative name servers > > Ahhh, this section heading is wrong, the section is actually > discussing resolver. The text doesn't explicitly mention > minimization, either. :) > > > A possible solution would be to minimize the amount of data sent from > > the resolver. When a resolver receives the query "What is the AAAA > > record for www.example.com?", it sends to the root (assuming a cold > > resolver, whose cache is empty) the very same question. Sending > > "What are the NS records for .com?" would be sufficient (since it > > will be the answer from the root anyway). To do so would be > > compatible with the current DNS system and therefore could be > > deployable, since it is an unilateral change to the resolvers. > > There are some odd configurations out there where a query for > www.foo.bar.example/IN/A returns data, but a query for > foo.bar.example/IN/A returns NXDOMAIN. So it is backwards-compatible > per specification, but a bit thorny to implement in practice.
RFC 2535 said there were no names between NXT owner and the next name leading to a change in behaviour from RFC 103[45] for empty non terminals in the range (NXDOMAIN rather than NODATA). RFC 4034 corrected this to say "the next owner name (in the canonical ordering of the zone) that contains authoritative data or a delegation point NS RRset" which handles empty non terminal as NODATA and is consistent with RFC 103[45]. > > [RFC2181] suggests an > > algorithm to find the zone cut, so resolvers may try it. > > Do you refer to explicit NS queries? > > > Note that DNSSEC-validating resolvers already have access to this > > information, since they have to find the zone cut (the DNSKEY record > > set is just below, the DS record set just above). > > But they don't obtain this information in a privacy-enhancing way. > > > One should note that the behaviour suggested here (minimizing the > > amount of data sent in qnames) is NOT forbidden by the [RFC1034] > > (section 5.3.3) or [RFC1035] (section 7.2). Sending the full qname > > to the authoritative name server is a tradition, not a protocol > > requirment. > ^ > > Typo. > > > Another note is that the answer to the NS query, unlike the referral > > sent when the question is a full qname, is in the Answer section, not > > in the Authoritative section. It has probably no practical > > consequences. > > Most resolvers do not make NS queries, and some authoritative servers > do not return useful data (or any data at all). So using NS queries > for zone cut discovery does not work reliably. Any resolver that is DNSSEC aware will make NS queries (whether validating or not). They do not do so very often as the configurations that require them to be made are rare. The majority of recursive servers in the world are DNSSEC aware. Nameservers that fail to handle NS queries are broken. More NS queries would be good for the overall health of the DNS as it would flush out the broken servers. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
