-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/31/2014 08:31 PM, 神明達哉 wrote: > - Section 6.3 > > If the address of the client is within any of the networks in the > cache, then the cached response MUST be returned as usual. If the > address of the client matches multiple networks in the cache, the > entry with the longest SCOPE NETMASK value MUST be returned, as > with most route-matching algorithms. > > If I understand this (and Section 6.3 in general), the following > "suboptimal" scenario could happen: - The Authoritative Server is > configured with two prefixes for optimized responses: 2001:db8::/32 > and 2001:db8:2::/48 - The Recursive Server sends a query with > SOURCE of 2001:db8:1::/48 - The Authoritative Server finds the best > matching prefix for the SOURCE is 2001:db8::/32 and returns a > response corresponding to it, setting SCOPE NETMASK to 32
No, I thing the authority should have responded with a scope of 47. That's the number of bits it needs (for this address) to make sure there isn't a more specific answer. Q: 2001:db8:1::/48/0 A: 2001:db8:1::/48/47 > - The Recursive Server receives the response and caches it - The > Recursive Server receives a query from 2001:db8:2::1, and finds it > has a matching cache (with prefix being 2001:db8::/32) It will have in its cache: 2001:db8:1::/48/47 Likely, (we assume the recursive server wants to expose only the 48 first bits) 2001:db8:2::/48 will be looked up in the cache and will not match. So then the following exchange happens: Q: 2001:db8:2::/48/0 A: 2001:db8:2::/48/48 Now, if the recursive server would have asked for 2001:db8:8002::/48 the authority would have responded with a small scope. Q: 2001:db8:8002::/48/0 A: 2001:db8:8002::/48/33 > and uses the cached response to answer the query, even if it could > get the specifically optimized response for 2001:db8:2::/48 from > the Authoritative Server. > > Is my understanding correct? If so, is this a problem to resolve > or something we need to accept? Think of scope like: "I would have used N bits to come to this answer if N or more have been available. (for this particular block)" Rather than: "Only the first N bits of the address are relevant" //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSumZwACgkQI3PTR4mhavi8kACeM4lk4mRxTyV6V+vy4jO/0pg3 wAMAoJmkiy9yXKLUogBMYs47iLYnmAih =Rby2 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
