Ray Bellis <r...@bellis.me.uk> wrote: > On 30/10/2017 17:40, Evan Hunt wrote: > > > IIRC we discussed it, and were concerned that _ta. could be cached as > > nonexistent by servers implementing QNAME minimization. > > How would that happen, at least so long as _ta responds like any other > empty non-terminal?
It's NXDOMAIN. (It'll also fall foul of RFCs 8020 and 8198.) The problem occurs if you have a validator behind a cache. The cache will prevent downstream id._ta. queries from reaching the root, so any downstream trust anchor variation will be lost. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Viking, North Utsire: Southwesterly 5 or 6, veering westerly 5 to 7 later. Moderate or rough, occasionally slight in North Utsire. Rain or showers, fog patches in Viking. Moderate or poor, occasionally very poor in Viking. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
