Re: [DNSOP] BULK RR as optional feature

Tue, 28 Mar 2017 22:02:00 -0700 

> -----Original Message-----
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Evan Hunt
>
> On Tue, Mar 28, 2017 at 10:47:02PM -0500, John R Levine wrote:
> > That's exactly the problem -- a server that doesn't handle BULK will
> > return the wrong answer.  It might return the BULK record itself or
> > NXDOMAIN for an address that BULK would synthesize.
>
> And, if the zone is signed, it'll be provably wrong.  I don't think
> it's enough to handwave the problem as "not of great concern". At
> least, please add some operational advice that BULK is not to be
> deployed in any domain unless all auth servers for that domain
> fully implement it.
>

Evan,

Again, thank you.

I can see your point where more guidance could be needed here.


As far as BULK RRs in this scenario are concerned, there would still be
two provably valid states as seen from the perspective of a validating
resolver.


Either -

1) *No* BULK support on this auth NS:
   Queried RR does not exist (and actually does not exist)
   NSEC/NSEC3/etc. proves it does not exist.

2) BULK support on this auth NS:
   Queried RR does exist (is actually synthesized)
   RRSIG exists (online) proves it does exist
     - Or -
   RRSIG and NPN exist (offline)
     - proves it does exist (requires NPN aware resolver for validation)


Other options are available (e.g. insecure delegation for these RRs, etc.)


Thanks,
John

>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to