[dns-operations] IPv6 & IPv4 addresses
Edward Lewis
Ed.Lewis at neustar.biz
Fri Mar 18 14:10:41 UTC 2011
At 10:00 +0000 3/18/11, Simon Munton wrote:
>On 17/03/2011 18:00, Edward Lewis wrote:
>> The idea that a negative answer can be used to infer the absence of
>> another type is contrary to what is written in RFC 2308.
>
>I don't see that - RFC2308 simply says you should cache previous NODATA
>answers, it doesn't say you can't use NSEC/NSEC3 records to prove other RRs
>also doesn't exist without specifically querying for them.
The spec says that negative answers are caches by the query, not in a
tree of data like the positive cache. Caching by query means not
inferring from one query to the next (different one).
>If the NSEC/NSEC3 has the same TTL as the EXPIRY then then wouldn't this
>be safe?
Because 1) the cache is not supposed to make statements (i.e.,
inferring from one query to another) that should be handled by the
authority, 2) the zone at the authority may not be static (which may
make an inference wrong), 3) the sender of the message assume RFC
2308 compliance and craft responses accordingly.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Me to infant son: "Waah! Waah! Is that all you can say? Waah?"
Son: "Waah!"
More information about the dns-operations
mailing list