Vladimír Čunát wrote on 2022-08-21 11:30:
On 19/08/2022 20.06, Paul Wouters wrote:
Security Considerations could say that .alt queries MUST NOT be
forwarded to other DNS servers for resolution.
There's a dilemma with SUDNs. If a resolver isn't allowed to "send the
name upstream", it might not be able to return DNSSEC-correct denial.
While it's often fine to return a forged bogus answer, it's certainly
not a perfect setup. For example, with validators that don't support a
SUDN yet forwarding to resolvers that already supports that SUDN -
generating retry loops and eventually SERVFAILs.
the design effectively avoids that condition. a stub or recursive who
knows about .ALT won't forward the query or recurse. one who does not
know will forward or recurse and get a secure denial of existence which
will be cacheable. if it's a recursive and also implements qname
minimization then the nonexistence of .ALT and all subdomains will be
cacheable. if it implements DNSSEC and its forwarder if any also does,
then the cached negative .ALT signal will be authenticated.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
