Re: [dnsext] caches, validating resolvers, CD and DO

Edward Lewis <> Wed, 30 March 2011 14:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 985A328C177 for <>; Wed, 30 Mar 2011 07:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.994
X-Spam-Status: No, score=-101.994 tagged_above=-999 required=5 tests=[AWL=-0.569, BAYES_00=-2.599, FB_NO_MORE_ADS=1.174, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NA95NEzZTeGK for <>; Wed, 30 Mar 2011 07:01:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A3B5B28C144 for <>; Wed, 30 Mar 2011 07:01:09 -0700 (PDT)
Received: from Work-Laptop-2.local ( []) by (8.14.4/8.14.4) with ESMTP id p2UE2iPd076967; Wed, 30 Mar 2011 10:02:44 -0400 (EDT) (envelope-from
Received: from [] by Work-Laptop-2.local (PGP Universal service); Wed, 30 Mar 2011 10:02:45 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Wed, 30 Mar 2011 10:02:45 -0400
Mime-Version: 1.0
Message-Id: <a06240803c9b8e5da2d1a@[]>
In-Reply-To: <>
References: <>
Date: Wed, 30 Mar 2011 09:53:01 -0400
To: Mark Andrews <>
From: Edward Lewis <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Mar 2011 14:01:10 -0000

For those only reading the mail list (i.e., not attending the 
in-person meeting), can you give some context to this?  I suspect 
this is a follow on to a meeting discussion.

At 17:23 +1100 3/30/11, Mark Andrews wrote:
>I don't think we have the sematics of these bits quite right
>yet.  In normal operations a validating resolver taking to
>a cache should just set DO.  This will result in DNSSEC records
>being returned and in most cases these will validate.  This
>also permits caches to do their jobs correctly.
>When these do not validate or SERVFAIL is returned, the validating
>resolver should then re-issue the query with CD set and a EDNS
>option indicating which upstream servers have been tried.  This
>option is initially empty.  The cache will then behave as a proxy
>for this query (excluding the EDNS option) adding the responding
>server's address to the EDNS option.  If there are no more addresses
>to try, SERVFAIL (new rcode?) is returned along with the EDNS option
>from the query.
>If the cache is using another cache the entire query/response is
>proxied.  The intent is for the validating client to talk through
>intermediate caches to the cache talk directly to the authoritative
>servers.  The EDNS option maintains a list of authoritative server
>addresses for the zone that have been tried.  This list is passed
>back and forth between the validating resolver and the cache talking
>to the authoritative server.
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE:	+61 2 9871 4742		         INTERNET:
>dnsext mailing list

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"