On 30 Sep 2015, at 22:58, Evan Hunt wrote:
The new proposal to return an empty HINFO record has the advantage of
a smaller response, but will be inconvenient for DNSSEC-signed zones,
unless the server has access to the signing key and can generate a
covering RRSIG. This should be mentioned in security considerations.
There are two options for a signed zone that we mentioned in the text:
1. Return an unsigned response. This will be marked as bogus, and
trigger a QTYPE=HINFO re-query that will either return an actual signed
HINFO from the zone or a signed proof of non-existence. We think. I
haven't actually tested that a re-query will happen, but Olafur is
confident. :-)
2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the
edge authority servers needing access to a signing key).
The pick-one-RRset mechanism doesn't have this problem, because
the covering RRSIG will already exist for whichever RRset is
returned.
That is true. However, one of the use-cases for this approach is a
nameserver for which a search for records present at a particular owner
name (as would normally be performed when responding to an ANY query) is
expensive. A synthesised HINFO is cheaper, even if it's a child only a
mother could love.
Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
