Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00

[Tony Finch <dot@dotat.at>]

Marc Lampo <marc.lampo@eurid.eu> wrote:
>
>  - how can caching name service know which RRSIG, applying to RRset with
> eg one A-record, goes with which A-record ?

An RRSIG covers an entire RRset. Different caches may see different
RRsets, and the same cache may see different RRsets at different times, so
caches need to ensure each RRSIG is transmitted, cached, and expired
alongside its RRset.

The EDNS client subnet option allows caches to store multiple RRsets for
the same name, type, and class at the same time, distinguishing them
according to the client IP address.

>  - this is not "standard" for the authoritative name services,
>     to provide these multiple RRSIG's.

Correct. Geo IP requires stunt name servers for all authoritative servers.
The servers hand out different versions of the same RRset according to
some internal logic. Each version of the RRset needs an appropriate RRSIG.
There only need to be RRSIGs for the RRsets that are actually served.

> The EDNS0 OPT record is mandatory, for DNSSEC. Records from client to
> server cannot be signed anyway; I see no requirement/recommendation of
> signing the OPT record from server to client.

SIG(0) / TSIG.

> What I really meant to express, is that, for public caching name services,
> I'd recommend they implement DNSSEC themselves
>  (first - before implementing this/your draft RFC)

Yes, but the only people who need to implement this draft are those
running open resolvers with a very widely dispersed client population, and
content delivery networks who want accurate geo IP for users of large open
resolver services.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Portland, Plymouth: Southwest veering west 6 to gale 8, occasionally severe
gale 9 at first in Portland, decreasing 5 at times later. Rough, occasionally
very rough at first. Rain then showers. Moderate or good.