Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt

[Evan Hunt <each@isc.org>]

> I have concerns about the resolver replacing A/AAAA records in signed
> zones as it breaks validation.

What do you mean by "the resolver" in this case?

> If a resolver understanding ANAME is queried using the DO=1 flag it
> shouldn't touch the A/AAAA records, because it already knows the
> requestor would through them away.

It doesn't *know*. DO=1 doesn't mean the client is validating; it means the
client understands RRSIG.

The draft already advises that ANAME will break validation unless the
validator is ANAME-aware or the auth server has access to the zone's
private key and can sign responses on the fly. (This suggests to me that
the use of ANAME in signed zones will probably be limited at first.)

> This also means a caching resolver should store the original A/AAAA
> records (and not the ones resolved through ANAME) in the cache.

Certainly.

> With this change I don't think it makes sense to say "a resolver MUST
> re-query", I'd use "a resolver SHOULD re-query if it didn't use ECS and
> the query didn't use DO=1".

I'm sorry, I'm not getting this. Please explain further, particularly
with an expansion of the word "it"?

> But I'd add "a resolver MUST include ANAME
> RRset in respones to queries for A/AAAA".

Yes, I'd been assuming it would. If I forgot to mention it in the
draft, I'll fix that.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.