Hi Ralf, On 5/29/19 7:42 AM, Ralf Weber wrote: > Moin! > > On 28 May 2019, at 21:14, Matthijs Mekking wrote: >> For authoritative servers that receive A or AAAA requests, the address >> records shall appear only once: in the answer section. It is correct >> that those address records have the owner name and TTL adjusted (to the >> owner name of the ANAME record and the minimum of the encountered TTLs). >> >> There is nothing in the additional section, except for the ANAME record, >> as described in Section 6.1.1: >> >> When a server receives an address query for a name that has an ANAME >> record, the response's Additional section MUST contain the ANAME >> record. The ANAME record indicates to a client that it might wish to >> resolve the target address records itself. > So that means an authoritative server could just use the “static” A > records in the zone and just put in the ANAME in the additional section > and not do any special processing at all, hoping the resolver does > follow the ANAME?
Yes, it could do that. But it is not likely that this scenario is particularly useful in the early stage of ANAME deployment. >> Note that there is separate additional processing for authoritative >> servers and resolvers. For resolvers there is a requirement of having >> target address records in the additional section. > Why? They are the same that are in the answer section and for DNSSEC > the signed ANAME is important and not the unsigned addresses or am I > missing something? Why is there a requirement or why is there a difference? First, the word "requirement" is causing confusion here, I am sorry. What I meant is that for resolvers the draft has a RFC 2119 keyword related to adding target address records in the additional section (it's a MAY). So not required, but optional. Why is there different additional processing for authoritative servers and resolvers? Basically because in a traditional authoritative name server the target address records are not available (so adding them is not in scope), but a resolver may have them in the cache (and note these may be signed address records). Best regards, Matthijs > > So long > -Ralf > —-- > Ralf Weber > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop