On Tue, Apr 6, 2021 at 2:11 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> I'm wondering something about tree walks, which John Levine asked about in > November, as it's a topic of interest to the evolution of DMARC. > > I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also > covers later queries for "bar.foo.example". Makes sense. > > Can this be used (or maybe amended) to cover the queries if they come in > the reverse order? For instance, if "bar.foo.example" arrives first, but > the authoritative server can determine that the entire "foo.example" tree > doesn't exist, could it reply with an NXDOMAIN for the question plus a > cacheable indication about the entire tree instead of just the name that > was in the question? > Yes, it can answer NXDOMAIN. Without DNSSEC, there is no current way to provide an indication about the longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3 records in the response can do this (as well as providing cryptographic proof of this assertion with their signatures). As mentioned by others, RFC8198 (which can be considered a superset of 8020 for signed zones) extends the semantics by allowing resolvers to infer non-existence not only below the name, but for all names that fall in the NSEC/NSEC3 spans. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
