Re: [dnsext] NS/NSEC/NSEC3 records in the Additional section
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 19 May 2011 14:10 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07976E06C0 for <dnsext@ietfa.amsl.com>; Thu, 19 May 2011 07:10:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.299
X-Spam-Level:
X-Spam-Status: No, score=-106.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFg+qKzW3gPr for <dnsext@ietfa.amsl.com>; Thu, 19 May 2011 07:10:33 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 87F6DE06BD for <dnsext@ietf.org>; Thu, 19 May 2011 07:10:33 -0700 (PDT)
Received: from work-laptop-2 (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p4JEAUPA065890; Thu, 19 May 2011 10:10:31 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.201.181] by work-laptop-2 (PGP Universal service); Thu, 19 May 2011 10:10:31 -0400
X-PGP-Universal: processed; by work-laptop-2 on Thu, 19 May 2011 10:10:31 -0400
Mime-Version: 1.0
Message-Id: <a06240801c9facf6ef6c0@[10.31.201.181]>
In-Reply-To: <4DD4CEFB.3050702@knipp.de>
References: <4DD4CEFB.3050702@knipp.de>
Date: Thu, 19 May 2011 10:10:10 -0400
To: Klaus Malorny <Klaus.Malorny@knipp.de>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] NS/NSEC/NSEC3 records in the Additional section
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2011 14:10:35 -0000
At 10:04 +0200 5/19/11, Klaus Malorny wrote: >I am wondering whether the Additional section may contain NS records, and, >if so, whether the respective NSEC/NSEC3 record to prove the non-existence >of the DS record for this delegation shall be placed also in the >Additional section or in the Authority section instead. I cannot think of any situation in which an NS set would appear in the additional section of a response (specifically a message with OPCODE=query, QR=1). NS records will appear in the answer section if and only if they type NS matches the QTYPE (NS, ANY, AXFR, IXFR if I'm not mistaken). NS records will appear in the authority section for a number of reasons, one is to direct the next iterative query to another set of servers (a referral), to establish the source as the authority for what is in the question and answer sections, and maybe some other situation I'm not thinking of right now. Presence or (proof of) absence of DS records, when germane, will appear in the authority section. (Again, unless DS matches the QTYPE.) >If I have the following zone, > >tld. SOA ... >tld. NS ns1.sld.tld. > >sld.tld. NS ns2.other. >sld.tld. NS ns3.other. > >I think it would make sense to include the NS records of sld.tld. (and DS >records if signed) in the Additional section if the NS records of tld. >are included in the Authority section, as this information is available >anyway and should be useful for the resolver. This is, however, contrary >to the behaviour of BIND, which I consider as a reference. Responding to that suggestion begins with this question - what is the query you have in mind? If the response would include the NS set of tld. in the authority, then the message means that the answer lies in the tld zone, therefore, there's no need to go to the sld.tld. servers. If you are thinking that a query like "shinkuro.us/IN/DS" directed to an authoritative server should have the DS in the answer, the NS of US in the authority and NS of shinkuro.us in the additional, there are a two reasons not to do this. One is that the shinkuro.us records here have a very low trustworthy rating (see RFC 2181 for that). Two, it is unlikely a validator would ask for the DS record unless the data "below" it that is being validated was already in hand - hence the NS set is already in hand (or perhaps TTL'd out). When we were designing DNSSEC we were more generous in including extra information until we discovered that often times the extra records (in additional) were unneeded because the cache already had them and hence represented unneeded bytes in the message. In the 90's our concern was bandwidth, now is it is message size (fragmentation, firewalls that don't know EDNS0, etc.). >Also, in the case that tld. is signed and sld.tld. not, the question is >whether the respective NSEC/NSEC3 record shall be also in the Additional >section. RFCs 403x and 5155 mention only the Authority section, but >the described case does not occur at all in these RFCs (unless I missed it). DNSSEC is supposed to be consumed in data flows internal to the DNS. As such, DS records and NSEC/NSEC3 records and others would never be part of other helpful records that are what is put into the additional. E.g., the A/AAAA record matching the RDATA names of MX records are counter examples. DNSSEC isn't meant to be helpful to the answer, it is meant to make sure the answer meets certain security properties. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Now, don't say I'm always complaining. Wait, that's a complaint, isn't it?
- [dnsext] NS/NSEC/NSEC3 records in the Additional … Klaus Malorny
- Re: [dnsext] NS/NSEC/NSEC3 records in the Additio… Florian Weimer
- Re: [dnsext] NS/NSEC/NSEC3 records in the Additio… Klaus Malorny
- Re: [dnsext] NS/NSEC/NSEC3 records in the Additio… Edward Lewis