IETF Logo Mail Archive

Re: [dnsext] NS/NSEC/NSEC3 records in the Additional section

Klaus Malorny <Klaus.Malorny@knipp.de> Thu, 19 May 2011 13:53 UTC

Return-Path: <Klaus.Malorny@knipp.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3770FE0745 for <dnsext@ietfa.amsl.com>; Thu, 19 May 2011 06:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7yhyrb4wlFD for <dnsext@ietfa.amsl.com>; Thu, 19 May 2011 06:53:32 -0700 (PDT)
Received: from kmx10a.knipp.de (clust3c-eth0-0.bbone.knipp.de [195.253.6.130]) by ietfa.amsl.com (Postfix) with ESMTP id 804C1E07BC for <dnsext@ietf.org>; Thu, 19 May 2011 06:53:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by kmx10a.knipp.de (Postfix) with ESMTP id 7755953; Thu, 19 May 2011 15:53:26 +0200 (MESZ)
X-Knipp-VirusScanned: Yes
Received: from kmx10a.knipp.de ([127.0.0.1]) by localhost (kmx10a.knipp.de [127.0.0.1]) (amavisd-new, port 10004) with ESMTP id K+Uk+plfoKel; Thu, 19 May 2011 15:53:20 +0200 (MESZ)
Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [195.253.2.54]) by kmx10a.knipp.de (Postfix) with ESMTP id 657BF52; Thu, 19 May 2011 15:53:20 +0200 (MESZ)
Received: from [195.253.2.27] (mclane.do.knipp.de [195.253.2.27]) by hp9000.do.knipp.de (@(#)Sendmail version 8.13.3 - Revision 1.000 - 1st August,2006/8.13.3) with ESMTP id p4JDrId1002529; Thu, 19 May 2011 15:53:19 +0200 (MESZ)
Message-ID: <4DD520D0.4030702@knipp.de>
Date: Thu, 19 May 2011 15:53:20 +0200
From: Klaus Malorny <Klaus.Malorny@knipp.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110518 Thunderbird/3.3a4pre
MIME-Version: 1.0
To: Florian Weimer <fweimer@bfk.de>
References: <4DD4CEFB.3050702@knipp.de> <82k4dnez5p.fsf@mid.bfk.de>
In-Reply-To: <82k4dnez5p.fsf@mid.bfk.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dnsext@ietf.org
Subject: Re: [dnsext] NS/NSEC/NSEC3 records in the Additional section
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2011 13:53:33 -0000

On 19/05/11 12:57, Florian Weimer wrote:
> * Klaus Malorny:
>
> You should send unusual records only in response to DO=1 queries.
> Otherwise, you risk that the client cannot interpret them.  (The risk
> with DNSSEC-capable clients is still there, of course, but it seems
> less.)

That statement makes me wonder how robust the resolvers are ;-)

>
> There is no precedent for copying NS records to the additional section,
> AFAIK.  Given the amount of work put into reducing response sizes, it's
> also unlikely that such a feature would be a win for all parties
> involved.
>

Yes, but the idea was that if the NS records in the authority section are of any 
use (while only the use as alternative name servers comes to my mind), then the 
additional NS records would allow to omit an extra query to the tld. name servers.

While in the meantime I more or less managed to cope with the complexity of 
authoritative name servers (esp. in conjunction with DNSSEC), resolvers are 
still somewhat secret and magical to me. So I probably will stay away from that 
idea for the sake of stability and reliability.

Regards,

Klaus

v2.23.0 | Report a Bug | By Email