I've been pondering DNSSEC and additional data. I think it's currently the case for additional section processing in general that if (say) an AAAA RRset isn't present, then nothing is added to the additional section. I think it would be better to add an NSEC(3) proof of nonexistence if the relevant zone is signed.
The ANAME draft is consistent with traditional behaviour. I vaguely wonder if it would be worth encouraging additional section PNEs, or if it would be wedging too much into the spec. One reason not to beef it up in this way is that, as currently written, ANAME generally doesn't require two upstream queries for one incoming query - if the other address type isn't cached the server can just omit it. The exception is a dynamic signed PNE where the server has to ensure the type bitmap is correct. On the other hand, if it is beefed up then an ANAME query effectively becomes the mythical one-message A+AAAA query. I dunno if this counts in favour or against :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Cyclonic at first in Fair Isle, otherwise northerly or northwesterly 6 to gale 8, occasionally severe gale 9. Very rough or high. Squally wintry showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
