On Tue, Sep 27, 2016 at 3:10 PM, Shumon Huque <shu...@gmail.com> wrote:
> On Tue, Sep 27, 2016 at 2:48 PM, White, Andrew <andrew.whi...@charter.com> > wrote: > >> Hi Shumon, >> >> >> What about this? >> >> >> >> # When an iterative caching DNS resolver receives a response with RCODE >> being NXDOMAIN, >> >> # the resolver SHOULD store the response in its (negative) cache. During >> the time the response >> >> # is cached, any query with a QNAME at or descended from the denied name >> that is not otherwise >> >> #cached (positively), can be assumed to result in a name error. >> Responses to those queries >> >> # SHOULD set RCODE=NXDOMAIN (using the DNSSEC records cached as proof). >> >> >> >> When an iterative caching DNS resolver receives a query response with >> RCODE as NXDOMAIN, >> >> The resolver should store the NXDOMAIN response in cache. During the time >> that this response >> >> is cached, any query with a QNAME at or descended from the query that >> resulted in NXDOMAIN >> >> and that is not already in cache can be assumed to result in a name >> error. Responses to such >> >> queries SHOULD respond with RCODE as NXDOMAIN using DNSSEC records from >> cache as proof. >> >> >> >> Andrew >> > > Andrew - this looks very similar to Ed's rewrite. > > The problem I see with both is that it says to reply with NXDOMAIN for all > names at or below the cut, except for RRsets already positively cached. But > the current draft also allows resolvers to immediately invalidate cached > entries below the cut and also return NXDOMAIN for them. Your rewrite > appears to remove (or at least not mention) that possibility. > > -- > Shumon Huque > One other quick comment on the rewrite: " .. (using the DNSSEC records cached as proof)." is a bit unclear and perhaps misplaced. I assume here this means signed NSEC or NSEC3 records, which may or may not exist depending on whether the zone in question is signed. And even if they exist, the resolver typically doesn't return them as proof unless the querier sets DO=1. I think we cover this point further down in the text, which I'll excerpt here: "If the NXDOMAIN response due to a cached non-existence is from a DNSSEC signed zone, then it will have accompanying NSEC or NSEC3 records that authenticate the non-existence of the name. For a descendant name of the original NXDOMAIN name, the same set of NSEC or NSEC3 records proves the non-existence of the descendant name. The iterative, caching resolver MUST return these NSEC or NSEC3 records in the response to the triggering query if the query had the DNSSEC OK (DO) bit set." Re-reading this paragraph, I think I'd suggest explicitly mentioning that the NSEC/NSEC3 signatures must be returned also. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop