[dns-operations] IPv6 & IPv4 addresses
Simon Munton
Simon.Munton at communitydns.net
Fri Mar 18 10:59:22 UTC 2011
> The AA bit ( and/or the answer section,some naughty servers don't set the AA bit)
> proves the server is authoritative for QNAME.
>
> That means there is no need to requery for RRsets in the Additional section
> that have owner = QNAME, they can be taken as Authoritative.
yes, of course.
Further, if you include a verifiable RRSIG/AAAA (& for NODATA the
NSEC/NSEC3 & RRSIG/NSEC(3)) the AA bit becomes pretty much irrelevant
anyway as you have cryptographically proved this is authoritative data -
and the RRSIG is more reliable, as the AA bit is unverifiable.
With NSEC this technique should mean little extra overhead as the NSEC
is stored against the name, but with NSEC3 you will have a second search
of the database for the hashed record, so you can include the NSEC3 RR.
More information about the dns-operations
mailing list