>Should we treat synthesis as if the cache is pretending to be an >authoritative server? > >e.g. for wildcards and NSEC3, something like, > > When synthesizing a wildcard response from its cache, the > validating resolver MUST include all the records specified in > RFC 5155 section 7.2.5 (for negative responses) or section 7.2.6 > (for positive responses). That is, it MUST generate a response > that matches what an authoritative server would send. If the > required records are not present in the cache, the resolver SHALL > query upstream instead of synthesizing the response.
Yes, although it's kind of subtle. For example, I query for a.h.g.iana.fail: ;; QUESTION SECTION: ;a.h.g.iana.fail. IN A ;; ANSWER SECTION: a.h.g.iana.fail. 3510 IN A 2.2.2.2 a.h.g.iana.fail. 3510 IN RRSIG A 8 4 3600 20161211000000 20161010180056 31806 iana.fail. fe7QsinhJnyAk6Zz52OO676KXryp3GDMdez38CwyiwNeEiaEzzu83h6c XHum/xbt7uYA7B5EmI/W0x6LMkpe9oAZgzj/LcbXv/BLqvUY4+iCcoW6 6UAoyPeWmSRaheRuBG5jvr/kIFqN+VGBo5Kt6pzGt+NIuIemjRcfPkz4 rIk= ;; AUTHORITY SECTION: *.h.g.iana.fail. 7110 IN NSEC b.h.g.iana.fail. A RRSIG NSEC *.h.g.iana.fail. 7110 IN RRSIG NSEC 8 4 7200 20161211000000 20161010180056 31806 iana.fail. iQF8nmONvtzkvDy+8QRjlRRI12+XyJ0XZG8jig/o7EJ21P/VShfE3I9W 3E+JVnkKuYg3Wg3R4tSUSLVZKxVaL/yGSTDvI0+S4RfjNaTWoeuqb+qo vAw78j2TMjevWJPA+NhYjHqc6daB3b38kn5cN3vCYmAO1OR5pn+whdqN d94= iana.fail. 3510 IN NS sdn.iecc.com. iana.fail. 3510 IN NS osdn.iecc.com. iana.fail. 3510 IN NS light.lightlink.com. iana.fail. 3510 IN RRSIG NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0= You can see that the wildcard is *.h.g.iana.fail. But query for e.h.g.iana.fail: ;; QUESTION SECTION: ;e.h.g.iana.fail. IN A ;; ANSWER SECTION: e.h.g.iana.fail. 3600 IN A 2.2.2.2 e.h.g.iana.fail. 3600 IN RRSIG A 8 4 3600 20161211000000 20161010180056 31806 iana.fail. fe7QsinhJnyAk6Zz52OO676KXryp3GDMdez38CwyiwNeEiaEzzu83h6c XHum/xbt7uYA7B5EmI/W0x6LMkpe9oAZgzj/LcbXv/BLqvUY4+iCcoW6 6UAoyPeWmSRaheRuBG5jvr/kIFqN+VGBo5Kt6pzGt+NIuIemjRcfPkz4 rIk= ;; AUTHORITY SECTION: b.h.g.iana.fail. 7061 IN NSEC mx.iana.fail. A RRSIG NSEC b.h.g.iana.fail. 7061 IN RRSIG NSEC 8 5 7200 20161211000000 20161010180056 31806 iana.fail. hjxpHIt1tzpXePloM08h1wwzY48kBSSH+okPmkglDod2QG2oqtZaEHlt 7rNhjrdwCKcnfoj7QawpneApAciM6jpLevjg8VqCpvHHRNBwgMKPwYq1 ABiFdoMpEdc2D2+7SZ1RMCeIN+NFZtuBMBuYVWMDqvIwxAEapP9PPVXS vC8= iana.fail. 3403 IN NS sdn.iecc.com. iana.fail. 3403 IN NS osdn.iecc.com. iana.fail. 3403 IN NS light.lightlink.com. iana.fail. 3403 IN RRSIG NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0= You can see that it's synthesized from a wildcard, but you can't tell whether the wildcard was *.iana.fail or *.g.iana.fail or *.h.g.iana.fail. And if I query for i.g.iana.fail: ;i.g.iana.fail. IN A ;; ANSWER SECTION: i.g.iana.fail. 3600 IN A 1.1.1.1 i.g.iana.fail. 3600 IN RRSIG A 8 3 3600 20161211000000 20161010180056 31806 iana.fail. u3icLxUEeJ2RMuhUufrhvze8hUAEkNCKPAfVHXYlQq7D1don0l4opjI2 Sd6fxEPKcF8ah1vtCvIewFctbXQ/HH6gviKslrJekzJcX6PQccsMtygG SzAr3HyWf2HfcMfDJqW2PjP5v9teB/uR7KCWGbxYogFt+sEXu77xHhqi Kug= ;; AUTHORITY SECTION: b.h.g.iana.fail. 6796 IN NSEC mx.iana.fail. A RRSIG NSEC b.h.g.iana.fail. 6796 IN RRSIG NSEC 8 5 7200 20161211000000 20161010180056 31806 iana.fail. hjxpHIt1tzpXePloM08h1wwzY48kBSSH+okPmkglDod2QG2oqtZaEHlt 7rNhjrdwCKcnfoj7QawpneApAciM6jpLevjg8VqCpvHHRNBwgMKPwYq1 ABiFdoMpEdc2D2+7SZ1RMCeIN+NFZtuBMBuYVWMDqvIwxAEapP9PPVXS vC8= iana.fail. 3138 IN NS sdn.iecc.com. iana.fail. 3138 IN NS osdn.iecc.com. iana.fail. 3138 IN NS light.lightlink.com. iana.fail. 3138 IN RRSIG NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0= I get a different synthesized answer because in this case, there's one wildcard for *.g.iana.fail and another one for *.b.g.iana.fail. That's OK, and I believe it is straightforward for a cache to tell what names it can synthesize and what names it can't, but it means it'd probably be a good idea to make it clear that if there are other names in the wildcard's range, the cache often can't synthesize results. R's, John PS: These names are real, feel free to poke at them. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
