This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] WG Agenda for RIPE50
- Previous message (by thread): [dns-wg] WG Agenda for RIPE50
- Next message (by thread): [dns-wg] WG Agenda for RIPE50
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Edward Lewis
Ed.Lewis at neustar.biz
Thu May 5 17:46:57 CEST 2005
At 17:18 +0200 5/5/05, Roy Arends wrote:
><proto police hat on>
Before this spins into a debate on the correctness of the answers (I
privately label them "hybrid" cache/referrals), I want to make two
points:
1) This action may or may not be completely compliant with the
protocol but it has been an operational boon.
Don't get me wrong - the messages are valid with respect to the
protocol. The way in which the data is obtained may not be what is
expected, but is fully compliant with the protocol. I.e., the answer
comes back with the AA bit off and the RA bit is also off. DNS does
not define what that "means" - it could be that the server is
recursive, but recursion is not available to the querier. (It could
be ACL'd out by IP address, for example.)
Defining the answers as "in-baliwick" is hard. The servers in this
example are authoritative for .com and .net. To the server, the
baliwick is any domain under .com and .net, regardless of the query.
OTOH, the only queries that fall into this category are asking for
names in .com and .net. I.e., you don't see a .biz name here - for
many reasons.
Keep in mind that just because the IETF has defined it, doesn't mean
it's operationally valid. The IETF tries, but sometimes misses the
mark. Without this crutch, no BIND prior to 8.something would have
worked (getting lost in reverse map queries) and the number of
queries sent would have been much higher.
2) This is another case of DNSSEC exposing corner cases that DNS was
able to live with. Like "* NS", until DNSSEC, these cases could
exist without heartburn, but when push comes to shove in the "signed
by the authorized party" era, we find that these cases exist. ("*
DNAME" isn't in this category for other reasons, even in non DNSSEC
is causes heartburn. Sorry - that's a different discussion on
another list.)
I may be painting this scenario in an unfair light calling it a
"corner case" but it qualifies because this is "ersatz caching." It
works now because as long as the host objects are in line with what's
really in DNS, it's okay. Problems don't pop up until the DNS is
changed and the registration isn't. This will happen when the zone
gets signed. Retrieval of the RRSIG's for all registered host
objects is probably not going to happen.
I'm sure there is a way "out" of this. For one, without DNSSEC, the
answer coming from a non-authoritative server is lower in credibility
than an answer from an authoritative one. Perhaps a validator can
recognize hybrid answers and realize not to "panic" when it lacks the
RRSIG, instead "following" the referral half of the message.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
If you knew what I was thinking, you'd understand what I was saying.
- Previous message (by thread): [dns-wg] WG Agenda for RIPE50
- Next message (by thread): [dns-wg] WG Agenda for RIPE50
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]