On 30 Sep 2015, at 22:58, Evan Hunt wrote:

The new proposal to return an empty HINFO record has the advantage of
a smaller response, but will be inconvenient for DNSSEC-signed zones,
unless the server has access to the signing key and can generate a
covering RRSIG. This should be mentioned in security considerations.

There are two options for a signed zone that we mentioned in the text:

1. Return an unsigned response. This will be marked as bogus, and trigger a QTYPE=HINFO re-query that will either return an actual signed HINFO from the zone or a signed proof of non-existence. We think. I haven't actually tested that a re-query will happen, but Olafur is confident. :-)

2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the edge authority servers needing access to a signing key).

The pick-one-RRset mechanism doesn't have this problem, because
the covering RRSIG will already exist for whichever RRset is
returned.

That is true. However, one of the use-cases for this approach is a nameserver for which a search for records present at a particular owner name (as would normally be performed when responding to an ANY query) is expensive. A synthesised HINFO is cheaper, even if it's a child only a mother could love.


Joe

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to