[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)

Edward Lewis Ed.Lewis at neustar.biz
Tue Apr 20 15:16:10 UTC 2010

At 10:53 -0400 4/20/10, Joe Abley wrote:

>In practical terms, given that in reality every validator sets DO=1 for
>every query and that resolution is always top-down following the initial
>priming query, it seems unnatural to think that query order would be
>anything other than top-down.

Iterating down the tree to retrieve an answer is different from 
validating an answer.  Very different.  One of the overlooked items 
is that data is cached.  We talk about caching often but we also 
overlook it when trying to describe how something works.

There's a lot of looseness in terminology.  "Iterating" is the 
process of following referral messages (NS) and query re-write (DNAME 
and CNAME) until you get to the match.  "Recursion" is asking the 
same question of other sources on behalf of someone else.  "Caching" 
is the storing of learned information for future queries. 
"Validation" is the health checkup given to data before it is cached. 
(All of this sits architecturally on top of message authentication.)

When it comes to "query order" the process is from root to finish. 
More accurately, it's from the closest enclosing cached entry to 
finish.  It is possible to rewrite the query to fewer labels (unless 
some DNS implementations think this represents a loop).  Delegations 
are always "down."

There are times when you should pass on data that has not been 
validated (CD bit), but before placing it in the (good) cache you 
should validate it.  And then put it in the cache or in the failed 
cached.  Never should data that has failed the validation calculation 
be returned as authenticated data (AD bit) or to a client that is not 
asking for checking to be disabled (CD).  If data is in the failed 
cache, recursion should not occur.

The reason why old BINDs shipped the key records in the additional 
with all answers was that it was thought you'd want to cache this for 
later when doing the validation.  The reason the key records were 
removed from the additional section of the message was that the 
messages were getting too large - and you probably would  have 
already had the key in the cache anyway.

>And to define my terms and make sure we're all holding the map the same way

Despite your past residence in and affiliation with the southern 
hemisphere, you are still holding the map right side up.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Wouldn't it be nice if all of the definitions of equivalence were the same?

More information about the dns-operations mailing list