[dns-operations] IPv6 & IPv4 addresses
George Barwood
george.barwood at blueyonder.co.uk
Thu Mar 17 17:12:03 UTC 2011
Re: [dns-operations] IPv6 & IPv4 addresses> No - that violates what's in RFC 2308.
Err.. I don't see how it violates that, certainly not on the authoritative server side.
A server can put whatever it fancies in the additional section if it feels it is helpful.
On the resolver side, making use of the NSEC information for related queries is more
controversial, in view of the last section of rfc4035 section 4.5
In theory, a resolver could use wildcards or NSEC RRs to generate
positive and negative responses (respectively) until the TTL or
signatures on the records in question expire. However, it seems
prudent for resolvers to avoid blocking new authoritative data or
synthesizing new data on their own. Resolvers that follow this
recommendation will have a more consistent view of the namespace.
The language here is quite tentative though, leaving room for interpretation.
There would be questions as to how long the negative information can be cached.
That's normally taken from the SOA record.
By way of an example, I have set up a server/domain that sends the NSEC record proving no AAAA.
( It doesn't send an SOA record yet... )
dig A www.emsv.co.uk. +dnssec @a.ns.emsv.co.uk
and a domain that sends both A and AAAA
dig A test.emsv.co.uk +dnssec @a.ns.emsv.co.uk
( Note, it sends the NSEC record anyway... )
The problem I see (apart from the rfc section above) is that the changes
to resolvers to take advantage of the NSEC info would be relatively complex.
George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110317/8315cc84/attachment.html>
More information about the dns-operations
mailing list