[dns-operations] ANY efforts at taking additional responses more compact?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Sep 7 14:42:58 UTC 2016

On Wed, Sep 07, 2016 at 05:33:48PM +0900, Paul Vixie wrote:

> Viktor Dukhovni wrote:
> >It occurs to me that for domains with a bunch of in-bailiwick nameservers,
> >it might make sense to advertise just a single logical nameserver name
> >which carries all the associated A/AAAA records, thereby substantially
> >reducing the number of RRSIGs in the additional section ...
> the receiver of an NS RRset is entitled to treat each NSDNAME as the name of
> a host which may be multihomed, and to treat each AAAA or A RRset whose
> owner name corresponds to that NSDNAME as a set of addresses belonging to
> that host. therefore if it hears an ICMP message such as "port unreachable"
> it is entitled to skip all the other addresses associated with that NSDNAME.
> not all NS RRset receivers behave this way. indeed, many will simply unroll
> the NS/AAAA and NS/A chains, and try them all, come what may.

That's a bit of a shame, it would have been handy to be able to
use multiple single-address names or a single name with multiple
addresses interchangeably.

Is it unreasonably to assume that the majority of implementations
ignore the names?  And perhaps ignore the few that behave contrary
to expectation?  Maybe also publish an RFC advising implementors
to not pay any attention to the names when implementing retry


P.S. I guess I could have expected this by analogy with SMTP, where
Postfix just resolves all the names in the MX RRset to addresses,
and works with pairs of (preference, address) for both loop
elimination and retries, while Sendmail IIRC works with (name,
address) pairs for both.

More information about the dns-operations mailing list