Ray Bellis wrote:
On 02/07/2018 15:39, Paul Wouters wrote:
If you are trusting an unsigned A record in the answer section, you might
as well trust the unsigned AAAA record in the additional section too.
I think minimum responses should still always just include this.
As others have pointed out, the problem is that if you don't get the
AAAA you can't be sure it doesn't exist (unless there's also an NSEC
record proving it).
that's a cop-out. given negative caching both for names and rrsets, plus
a lazy sweep-hand to semi-persistently determine the content or
nonexistence of the rrset that wasn't available as additional data, this
problem sorts itself at the recursive layer. and it is a non-problem for
the authority layer.
I've just refreshed my multi-qtypes draft because it was about to expire
anyway, but also because it does include signalling to allow the client
to differentiate between a second QTYPE that doesn't exist vs one that
the server just doesn't have right now.
please, please, please make a document that advises authority and
recursive server implementors to do this as additional data. do not add
a new code-point.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
