[dns-operations] I missed the announcement: .ARPA has been deleted
vixie at isc.org
Tue Feb 16 16:21:20 UTC 2010
> From: Florian Weimer <fweimer at bfk.de>
> Date: Tue, 16 Feb 2010 14:33:05 +0000
> Interpreting NSEC data allows to do this in a rather safe way. It is
> currently not allowed based on the DNSSEC spec. I think the spec should
> be changed.
the DLV spec (http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.txt) has
something called "off the wire aggressive negative caching" (credit where
due, this was one of sam weiler's innovations, though calling it OTWANC and
pronouncing it "ought-wank" was my idea). here, NSEC is used to suppress
queries for which a negative proof exists, but the queries suppressed are
not from forwarding, they're from interior DLV logic.
it's possible that off-wire query suppression could be done by a validating
stub resolver without really breaking the spec. what the DNSSEC spec
forbids is the generation of an on-wire NXDOMAIN by someone not
authoritative for the zone (so, a recursive validator, or a forwarder)
based on a cached NSEC. and i'm pretty comfortable with that, since we
currently have a system which permits expansive overlapping untrue NSECs,
and we may find a use for that some day.
note that i would love to be able to express, in root server responses, that
"not only does your qname not exist, but the tld that your qname is in does
not exist either, and so if you just asked me for foo.local, please do not
ask me for bar.local". and, i would like to be able to do this even without
dnssec. ideally we could just send "local" (in this example) as the response
qname, but the way things have evolved the whole q-tuple has to match the
original query, so that's out.
More information about the dns-operations