Re: [dnsext] caches, validating resolvers, CD and DO
Edward Lewis <Ed.Lewis@neustar.biz> Wed, 30 March 2011 14:01 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 985A328C177 for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 07:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.994
X-Spam-Level:
X-Spam-Status: No, score=-101.994 tagged_above=-999 required=5 tests=[AWL=-0.569, BAYES_00=-2.599, FB_NO_MORE_ADS=1.174, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NA95NEzZTeGK for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 07:01:09 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id A3B5B28C144 for <dnsext@ietf.org>; Wed, 30 Mar 2011 07:01:09 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2UE2iPd076967; Wed, 30 Mar 2011 10:02:44 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.115] by Work-Laptop-2.local (PGP Universal service); Wed, 30 Mar 2011 10:02:45 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Wed, 30 Mar 2011 10:02:45 -0400
Mime-Version: 1.0
Message-Id: <a06240803c9b8e5da2d1a@[10.31.200.115]>
In-Reply-To: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
Date: Wed, 30 Mar 2011 09:53:01 -0400
To: Mark Andrews <marka@isc.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 14:01:10 -0000
For those only reading the mail list (i.e., not attending the in-person meeting), can you give some context to this? I suspect this is a follow on to a meeting discussion. At 17:23 +1100 3/30/11, Mark Andrews wrote: >I don't think we have the sematics of these bits quite right >yet. In normal operations a validating resolver taking to >a cache should just set DO. This will result in DNSSEC records >being returned and in most cases these will validate. This >also permits caches to do their jobs correctly. > >When these do not validate or SERVFAIL is returned, the validating >resolver should then re-issue the query with CD set and a EDNS >option indicating which upstream servers have been tried. This >option is initially empty. The cache will then behave as a proxy >for this query (excluding the EDNS option) adding the responding >server's address to the EDNS option. If there are no more addresses >to try, SERVFAIL (new rcode?) is returned along with the EDNS option >from the query. > >If the cache is using another cache the entire query/response is >proxied. The intent is for the validating client to talk through >intermediate caches to the cache talk directly to the authoritative >servers. The EDNS option maintains a list of authoritative server >addresses for the zone that have been tried. This list is passed >back and forth between the validating resolver and the cache talking >to the authoritative server. > >Mark >-- >Mark Andrews, ISC >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >_______________________________________________ >dnsext mailing list >dnsext@ietf.org >https://www.ietf.org/mailman/listinfo/dnsext -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Me to infant son: "Waah! Waah! Is that all you can say? Waah?" Son: "Waah!"
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- [dnsext] caches, validating resolvers, CD and DO Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Michael Richardson
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Tony Finch
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Jelte Jansen
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Edward Lewis
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Derek Atkins
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… bmanning