Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00
Florian Weimer <fw@deneb.enyo.de> Mon, 05 October 2009 20:11 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECECA3A6975; Mon, 5 Oct 2009 13:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.418
X-Spam-Level:
X-Spam-Status: No, score=0.418 tagged_above=-999 required=5 tests=[AWL=-0.332, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-WZGk-G37Xn; Mon, 5 Oct 2009 13:11:45 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 052413A681A; Mon, 5 Oct 2009 13:11:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Mutqa-0002ED-IC for namedroppers-data0@psg.com; Mon, 05 Oct 2009 20:07:52 +0000
Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <fw@deneb.enyo.de>) id 1MutqK-0002Bg-VR for namedroppers@ops.ietf.org; Mon, 05 Oct 2009 20:07:44 +0000
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MutqE-0003yP-If; Mon, 05 Oct 2009 22:07:30 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from <fw@deneb.enyo.de>) id 1MutqD-0007AD-Lj; Mon, 05 Oct 2009 20:07:29 +0000
From: Florian Weimer <fw@deneb.enyo.de>
To: Matthew Dempsky <matthew@dempsky.org>
Cc: Andreas Gustafsson <gson@araneus.fi>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00
References: <200909231901.VAA06003@TR-Sys.de> <87r5tjt33l.fsf@mid.deneb.enyo.de> <19145.40369.687275.295680@guava.gson.org> <87my454ugb.fsf@mid.deneb.enyo.de> <d791b8790910051155x341d13a4j20424c0633e3910f@mail.gmail.com> <87fx9x3bfb.fsf@mid.deneb.enyo.de> <d791b8790910051221p3ea3a381o9fe5721f7c4ba74c@mail.gmail.com>
Date: Mon, 05 Oct 2009 20:07:29 +0000
In-Reply-To: <d791b8790910051221p3ea3a381o9fe5721f7c4ba74c@mail.gmail.com> (Matthew Dempsky's message of "Mon, 5 Oct 2009 12:21:27 -0700")
Message-ID: <87pr91wqny.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
* Matthew Dempsky: > On Mon, Oct 5, 2009 at 12:09 PM, Florian Weimer <fw@deneb.enyo.de> wrote: >> * Matthew Dempsky: >>> E.g., if a DNAME-ignorant cache receives a response with a >>> DNAME record and a synthesized CNAME record in response to an A-type >>> query, is it allowed to cache the DNAME record still? >> >> It should not be returned to the client in response to a subsequent >> query for the DNAME record at its owner name. > > What's your reasoning for this? Mainly the observation that it would deliver incomplete RRsets for RRSIG queries today if we didn't have DO. Future interesting records could show similar behavior. >>> If an AAAA-ignorant cache receives a response with AAAA glue >>> records, is it allowed to cache the AAAA record still? >> >> No, certainly not. This touches forgery resilience, too. > > Your wording implies there are reasons other than forgery resilience > that the AAAA glue records should be discarded. Is this the same as > the DNAME case, or are there additional reasons here? You don't really know to which section the additional data is related, and if the RRset is complete (as in the RRSIG case). >> it can't be promoted to an answer section, > > In practice, additional section records are regularly promoted to the > answer section. E.g., A and AAAA records returned in the additional > section in response to an MX or SRV query. Let's just say that BIND is buggy in this regard, okay? >> and section 8 of RFC 3597 states that no additional section >> processing is to be performed for unknown records, so you won't see it >> there, either. > > This seems irrelevant to me: the issue I was suggesting isn't whether > an unknown record causes additional section processing or not, but > whether an unknown record type is added because of additional section > processing. You need two records to end up with additional section processing, so it's at best unclear to me if this applies or not. > Maybe you're assuming a cache that goes to extra effort to associate > additional section records with the answer/authority records that were > processed to add them? I'm worried about BIND 8 style caches which pass through unchecked information of unknown provence, causing correctness issues further downstream.
- [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Alfred Hönes
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Andreas Gustafsson
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Florian Weimer
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 W.C.A. Wijngaards
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Andreas Gustafsson
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Florian Weimer
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Andreas Gustafsson
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Matthew Dempsky
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Florian Weimer
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Andrew Sullivan
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Matthew Dempsky
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Florian Weimer
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Matthew Dempsky
- Re: [dnsext] draft-ietf-dnsext-rfc3597-bis-00 Florian Weimer