[dns-operations] IPv6 & IPv4 addresses

Simon Munton Simon.Munton at communitydns.net
Fri Mar 18 10:00:56 UTC 2011

> dig A www.emsv.co.uk. +dnssec @a.ns.emsv.co.uk

I quite like that - putting the AAAA & NSEC/NSEC3 in the ADDITIONAL 
SECTION makes a lot of sense and (surely) violates nothing. Although the 
resolver wouldn't know the AA flag also applies to the ADDITIONAL data 
and so should really treat it as GLUE and re-query for it anyway.

Also, currently the resolver simply fires off a series of A & AAAA 
queries 0.0001ms apart - with that technique they'd have to wait for the 
reply to the first before firing off the second, so it would slow things 
where the authority doesn't have this feature.

On 17/03/2011 18:00, Edward Lewis wrote:
> The idea that a negative answer can be used to infer the absence of
 > another type is contrary to what is written in RFC 2308.

I don't see that - RFC2308 simply says you should cache previous NODATA 
answers, it doesn't say you can't use NSEC/NSEC3 records to prove other 
RRs also doesn't exist without specifically querying for them.

If the NSEC/NSEC3 has the same TTL as the EXPIRY then then wouldn't this 
be safe?

More information about the dns-operations mailing list