[dns-operations] I missed the announcement: .ARPA has been deleted

Florian Weimer fw at deneb.enyo.de
Tue Feb 16 21:34:43 UTC 2010


* Paul Vixie:

> it's possible that off-wire query suppression could be done by a validating
> stub resolver without really breaking the spec.  what the DNSSEC spec
> forbids is the generation of an on-wire NXDOMAIN by someone not
> authoritative for the zone (so, a recursive validator, or a forwarder)
> based on a cached NSEC.

Authority is not cryptographically enforced, so it can't be an
important consideration. 8-)

> and i'm pretty comfortable with that, since we currently have a
> system which permits expansive overlapping untrue NSECs, and we may
> find a use for that some day.

No, it doesn't.  RFC 4034 says otherwise.  Based on the specification,
you also can't expect a missigned zone to remain reachable for which
you have not submitted trust anchors anywhere.  (Current practice is
different, but might change rather quickly if we really, really need
something for better channel security before, say, 2013.)

There's already enough bad data in DNS, we don't need more ways to put
more of that into it.

> note that i would love to be able to express, in root server responses, that
> "not only does your qname not exist, but the tld that your qname is in does
> not exist either, and so if you just asked me for foo.local, please do not
> ask me for bar.local".  and, i would like to be able to do this even without
> dnssec.  ideally we could just send "local" (in this example) as the response
> qname, but the way things have evolved the whole q-tuple has to match the
> original query, so that's out.

Increasingly, you also want to know when you send an A query if an
AAAA RRset exists (or vice versa).  So let's add a query flag which
means "send me some interesting signed NSECs of your choice if the
answer is not a delegation", and we've enough data to solve both
issues.  We've also added something of value to DNSSEC. 8-)



More information about the dns-operations mailing list