[dns-operations] IPv6 & IPv4 addresses

Mark Andrews marka at isc.org
Sat Mar 19 00:28:38 UTC 2011


In message <a06240801c9a9166ac40a@[10.31.200.117]>, Edward Lewis writes:
> At 10:00 +0000 3/18/11, Simon Munton wrote:
> 
> >On 17/03/2011 18:00, Edward Lewis wrote:
> >>  The idea that a negative answer can be used to infer the absence of
> >>  another type is contrary to what is written in RFC 2308.
> >
> >I don't see that - RFC2308 simply says you should cache previous NODATA
> >answers, it doesn't say you can't use NSEC/NSEC3 records to prove other RRs
> >also doesn't exist without specifically querying for them.
> 
> The spec says that negative answers are caches by the query, not in a 
> tree of data like the positive cache.  Caching by query means not 
> inferring from one query to the next (different one).

Positive data is also cache by <qname,qtype,qclass>.  Whether you use
a tree, hash table or some other structure is up to the implementation.
 
> >If the NSEC/NSEC3 has the same TTL as the EXPIRY then then wouldn't this
> >be safe?
> 
> Because 1) the cache is not supposed to make statements (i.e., 
> inferring from one query to another) that should be handled by the 
> authority, 2) the zone at the authority may not be static (which may 
> make an inference wrong), 3) the sender of the message assume RFC 
> 2308 compliance and craft responses accordingly.

RFC 2308 preserved the DNSSEC RFCs decision to not infer other
responses.
 
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
> 
> Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
> Son: "Waah!"
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list