[dns-operations] Validation direction (Was: Re: Org Dnskey TTL)
Ed.Lewis at neustar.biz
Tue Apr 20 15:16:10 UTC 2010
At 10:53 -0400 4/20/10, Joe Abley wrote:
>In practical terms, given that in reality every validator sets DO=1 for
>every query and that resolution is always top-down following the initial
>priming query, it seems unnatural to think that query order would be
>anything other than top-down.
Iterating down the tree to retrieve an answer is different from
validating an answer. Very different. One of the overlooked items
is that data is cached. We talk about caching often but we also
overlook it when trying to describe how something works.
There's a lot of looseness in terminology. "Iterating" is the
process of following referral messages (NS) and query re-write (DNAME
and CNAME) until you get to the match. "Recursion" is asking the
same question of other sources on behalf of someone else. "Caching"
is the storing of learned information for future queries.
"Validation" is the health checkup given to data before it is cached.
(All of this sits architecturally on top of message authentication.)
When it comes to "query order" the process is from root to finish.
More accurately, it's from the closest enclosing cached entry to
finish. It is possible to rewrite the query to fewer labels (unless
some DNS implementations think this represents a loop). Delegations
are always "down."
There are times when you should pass on data that has not been
validated (CD bit), but before placing it in the (good) cache you
should validate it. And then put it in the cache or in the failed
cached. Never should data that has failed the validation calculation
be returned as authenticated data (AD bit) or to a client that is not
asking for checking to be disabled (CD). If data is in the failed
cache, recursion should not occur.
The reason why old BINDs shipped the key records in the additional
with all answers was that it was thought you'd want to cache this for
later when doing the validation. The reason the key records were
removed from the additional section of the message was that the
messages were getting too large - and you probably would have
already had the key in the cache anyway.
>And to define my terms and make sure we're all holding the map the same way
Despite your past residence in and affiliation with the southern
hemisphere, you are still holding the map right side up.
NeuStar You can leave a voice message at +1-571-434-5468
Wouldn't it be nice if all of the definitions of equivalence were the same?
More information about the dns-operations