[dns-operations] IPv6 & IPv4 addresses

Edward Lewis Ed.Lewis at neustar.biz
Fri Mar 18 14:10:41 UTC 2011

At 10:00 +0000 3/18/11, Simon Munton wrote:

>On 17/03/2011 18:00, Edward Lewis wrote:
>>  The idea that a negative answer can be used to infer the absence of
>>  another type is contrary to what is written in RFC 2308.
>I don't see that - RFC2308 simply says you should cache previous NODATA
>answers, it doesn't say you can't use NSEC/NSEC3 records to prove other RRs
>also doesn't exist without specifically querying for them.

The spec says that negative answers are caches by the query, not in a 
tree of data like the positive cache.  Caching by query means not 
inferring from one query to the next (different one).

>If the NSEC/NSEC3 has the same TTL as the EXPIRY then then wouldn't this
>be safe?

Because 1) the cache is not supposed to make statements (i.e., 
inferring from one query to another) that should be handled by the 
authority, 2) the zone at the authority may not be static (which may 
make an inference wrong), 3) the sender of the message assume RFC 
2308 compliance and craft responses accordingly.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

More information about the dns-operations mailing list