Hi Ralf,

On 5/29/19 7:42 AM, Ralf Weber wrote:
> Moin!
> 
> On 28 May 2019, at 21:14, Matthijs Mekking wrote:
>> For authoritative servers that receive A or AAAA requests, the address
>> records shall appear only once: in the answer section.  It is correct
>> that those address records have the owner name and TTL adjusted (to the
>> owner name of the ANAME record and the minimum of the encountered TTLs).
>>
>> There is nothing in the additional section, except for the ANAME record,
>> as described in Section 6.1.1:
>>
>>    When a server receives an address query for a name that has an ANAME
>>    record, the response's Additional section MUST contain the ANAME
>>    record.  The ANAME record indicates to a client that it might wish to
>>    resolve the target address records itself.
> So that means an authoritative server could just use the “static” A
> records in the zone and just put in the ANAME in the additional section
> and not do any special processing at all, hoping the resolver does
> follow the ANAME?

Yes, it could do that. But it is not likely that this scenario is
particularly useful in the early stage of ANAME deployment.


>> Note that there is separate additional processing for authoritative
>> servers and resolvers.  For resolvers there is a requirement of having
>> target address records in the additional section.
> Why? They are the same that are in the answer section and for DNSSEC
> the signed ANAME is important and not the unsigned addresses or am I
> missing something?

Why is there a requirement or why is there a difference?

First, the word "requirement" is causing confusion here, I am sorry.
What I meant is that for resolvers the draft has a RFC 2119 keyword
related to adding target address records in the additional section (it's
a MAY). So not required, but optional.

Why is there different additional processing for authoritative servers
and resolvers?  Basically because in a traditional authoritative name
server the target address records are not available (so adding them is
not in scope), but a resolver may have them in the cache (and note these
may be signed address records).


Best regards,

Matthijs



> 
> So long
> -Ralf
> —--
> Ralf Weber
> 

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to