[dns-operations] FreeBSD and the slaving of the root zone

Paul Vixie paul at vix.com
Tue Jul 31 22:57:51 UTC 2007


> It would be nice to have a (more) in-band method to solve this
> problem (ie, new rcode or rrtype) .  But given that the roots fear
> too much TCP and UDP is more susceptible to spoofing, it probably
> won't happen without DNSSEC.

with dnssec, there will be a way to signal that a node has no children,
and which node has no children, even if it's not the query name.  but
if i understand the spec correctly, cached NSECs aren't allowed to be
used to prove nonexistence without a separate round trip per qname.
(noting that sam weiler told us to ignore than rule when considering
the possible existence/nonexistence of a DLV RR, it's not the default.)

what's needed is probably an EDNS option allowing a server to indicate
the nonexistence of a qname parent, so that a normal non-dnssec "full
resolver" (caching recursive nameserver) can cache the fact that .local
isn't in the root and not have to ask separately for foo.local, bar.local
and so on.  as long as the name indicated is within the bounds of the
zone we thought we were "talking to", this is no less secure than anything
else we're willing to cache from that server.  is it finally time for
EDNS1?



More information about the dns-operations mailing list