> On 8 Nov 2022, at 10:56, Peter Thomassen <pe...@desec.io> wrote: > > > > On 11/8/22 10:33, Mark Andrews wrote: >> Filtering .alt in recursive servers should be a MUST NOT. > > Whenever SHOULD or MUST (NOT) is used, or we're making a promise for the > indefinite future, or we're (in the case of NXDOMAIN synthesis) altering > behavior from the client's perspective (by precluding a DoE from the root), > then the document should be on Standards Track, not Informational.
I was saying “do not do anything special” in recursive servers for .alt. A modern recursive server does QNAME minimisation. It may be doing NXDOMAIN means NXDOMAIN (in BIND this is qname-minimisation strict). It does DNSSEC validation. It does aggressive negative caching. It may be configured as a mirror for the root zone. When you query for alt you get enough information in the response from the root with aggressive negative caching to answer every other query for *.alt for 10800 seconds. % dig +dnssec alt ; <<>> DiG 9.19.6-dev <<>> +dnssec alt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8597 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 39041e1bfde7b212facacc52636a39c4ff7818022e6dc01e (good) ;; QUESTION SECTION: ;alt. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022110800 1800 900 604800 86400 . 10800 IN RRSIG SOA 8 0 86400 20221121050000 20221108040000 18733 . AS0aswPnUf8/YdZE/Xeub17fLCWmp/OJXvqrH1+qcYN4WD0TV6mVS1Uc mrTeVGp52anSqxkzxfUQaPyiF1Clxnx1wGtncsNkDJpKX9fPdbMmMsk+ wm/URiOpwzCQC7nlcUESraWo5WW4Z1olGWMLK7mBA260GT/FmZq5wVtv 9WRKmyZGTPz6ETG9wb1k2WXstLUWuB/snlcyi7VZHpCvcOdK1ebiPkET BJY/0FMeWpEncR5KsK27mNTyXucjic04jj9h8LOew+SwA32LWKZg5cgn XT3Pssj1imKEUcSIM2Dl3I/G0z4FOYhvImqDkbiYEWVkB+OoAr9RvKGs T5cv8g== . 10800 IN RRSIG NSEC 8 0 86400 20221121050000 20221108040000 18733 . lG9D6KVTMh09Iu7SWWR+c2b8bOyi5xe+6PoD9u0kBOMOa0SdS4/Tm9z0 nRM1dV2zc1bdYHLSyOyb5CmdCvYO0dxpLPxpJIXope/cxDwUZaOG3zq/ kPqgBGTjJZSddFYYuSPxXhjBpoF1YFy3PzjfFMS0QytIX+pmbqvqTtg+ vgFr1sZHr8COiWcNQ2MYMqN81+nKmGyX9oCXFJO9bASXEfaSDCJf5979 Pg8yXWBrNpA+IoFbplkJhnqi+ApSmjH4t19xgh49kxbusm8GZImGimH9 QLFlpbUZ6yP1R/gOwMxkKfjfFyScvzWmuI4viFSKOZFlRXGF7xSKeBpy OHCgWg== . 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY alstom. 10800 IN RRSIG NSEC 8 1 86400 20221121050000 20221108040000 18733 . WORaA7GTkm3H7nB4x+32UfhmgxelNotpoVBf95eV1QptzGBTZiFebDz2 /aYogXYhV7gd1w9hAZjOW2qtsISR21qD9zTyHoG7JUty21UQfkLrm5QX 8X2EtVxD9+CmrI/+bJ2p91gEpEGvIcA6uslBKAoNuXFF6xZ/OqdtyIuV xYnJuYJHoFqC1rEk/ZbjS49UraLNpgkvPZGPpAVVzsussItT7lC2SECf WBOiY3ElxotTvD18rkn6EhQasuxiVxUP2uUiTxlJWYui4O6c6D37BuGL iXZoLOfRztesm+ISptOM+soTutN1NxHQZnXsoRYYTSOWhB0lsEQWSNBp IOJckw== alstom. 10800 IN NSEC am. NS DS RRSIG NSEC ;; Query time: 190 msec ;; SERVER: 2001:67c:370:229::7#53(2001:67c:370:229::7) (UDP) ;; WHEN: Tue Nov 08 11:13:08 WET 2022 ;; MSG SIZE rcvd: 1049 % The alternative is that the recursive server maps ‘whatever.alt/QTYPE’ to ‘alt/DS’ when iterating then returns the result of that query to the client with the original QNAME and QTYPE. It can use the cached result of ‘alt/DS’ until it times out. > ~Peter > > -- > https://desec.io/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
