This is a detour from the original theme of the thread…nonetheless interesting on it’s own.
On Jan 7, 2025, at 04:30, Joe Abley <jab...@strandkip.nl> wrote: > > On 7 Jan 2025, at 21:18, Shane Kerr <sh...@time-travellers.org> wrote: > >> This is a good point! I guess it depends on whether you really, REALLY care >> if the answer is made from a wildcard. Otherwise if the RDATA is the same >> you can safely assume that it was - or might as well be. > > I don't think you can even say that there *isn't* a wildcard if those two > queries do return different RDATA, since you have no way of knowing whether > the two responses were generated in the same way (from the same zone > revision, from the same server, using the same response logic). > > I am mildly intrigued by the idea that we could just get rid of wildcards. > They made more sense in a world of static zones with occasional distribution > than they do in a world where individual servers can comfortably synthesise > signed answers at response time. When I began writing the wildcards clarification document, one hangup from one reviewer was my calling it “the means to synthesize records” [paraphrasing as it’s been years]. The solution to that was calling them “a means to synthesize records” but noting it was the only standardized means. There’s no reason any responder can’t supply 100% synthesized responses - defining synthesized as “created given the query information.” Zone files aren’t necessary to generate the messages sent over port 53 (or whatever alternate port for encrypted DNS). What makes Wildcards(TM) special is that they are the only “rules” for synthesis that can fit into a zone transfer, hence be common to all servers for a zone, regardless of server implementation (so long as the code is “compliant”) and regardless of operator. Another way to look at Wildcards(TM) is to say they are a macro-language for DNS responses. If Wildcards(TM) were to be “gotten rid of”, that would mean removing special name match processing of names that start with the single-character label “*”. That would suffice. If anything though, it seems to me there is more desire to have more synthetic responses than static responses. EDNS0 Client Subnet was created to tailor a response according to a query’s source, as one example. But, as many things in the early DNS, Wildcards(TM) come with confusion. (That’s why I was asked to “clarify” them years ago.) Wildcards(TM) don’t play well with Opt-out in NSEC3 of DNSSEC (see the RFC - sorry, I’ve forgotten the number). Seeing a following post on the use case, the issue spurring this thread relates to the DBOUND WG issue - identifying the scope of administrations, this is clusters of zones under one administrator, to cap the applicability of security decisions. (For those that recall - cookies started this, hence the Mozilla Public Suffix List.) Not giving any recommendations, just providing some context… _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
