[dns-operations] IPv6 & IPv4 addresses

George Barwood george.barwood at blueyonder.co.uk
Thu Mar 17 17:12:03 UTC 2011


Re: [dns-operations] IPv6 & IPv4 addresses> No - that violates what's in RFC 2308. 

Err.. I don't see how it violates that, certainly not on the authoritative server side.
A server can put whatever it fancies in the additional section if it feels it is helpful.

On the resolver side, making use of the NSEC information for related queries is more
controversial, in view of the last section of rfc4035 section 4.5

   In theory, a resolver could use wildcards or NSEC RRs to generate
   positive and negative responses (respectively) until the TTL or
   signatures on the records in question expire.  However, it seems
   prudent for resolvers to avoid blocking new authoritative data or
   synthesizing new data on their own.  Resolvers that follow this
   recommendation will have a more consistent view of the namespace.

The language here is quite tentative though, leaving room for interpretation.
There would be questions as to how long the negative information can be cached.
That's normally taken from the SOA record.

By way of an example, I have set up a server/domain that sends the NSEC record proving no AAAA.
( It doesn't send an SOA record yet... )

dig A www.emsv.co.uk. +dnssec @a.ns.emsv.co.uk

and a domain that sends both A and AAAA 

dig A test.emsv.co.uk +dnssec @a.ns.emsv.co.uk

( Note, it sends the NSEC record anyway... )

The problem I see (apart from the rfc section above) is that the changes
to resolvers to take advantage of the NSEC info would be relatively complex.

George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110317/8315cc84/attachment.htm>


More information about the dns-operations mailing list