At 17:18 +0200 5/5/05, Roy Arends wrote:
<proto police hat on>
Before this spins into a debate on the correctness of the answers (I privately label them "hybrid" cache/referrals), I want to make two points: 1) This action may or may not be completely compliant with the protocol but it has been an operational boon. Don't get me wrong - the messages are valid with respect to the protocol. The way in which the data is obtained may not be what is expected, but is fully compliant with the protocol. I.e., the answer comes back with the AA bit off and the RA bit is also off. DNS does not define what that "means" - it could be that the server is recursive, but recursion is not available to the querier. (It could be ACL'd out by IP address, for example.) Defining the answers as "in-baliwick" is hard. The servers in this example are authoritative for .com and .net. To the server, the baliwick is any domain under .com and .net, regardless of the query. OTOH, the only queries that fall into this category are asking for names in .com and .net. I.e., you don't see a .biz name here - for many reasons. Keep in mind that just because the IETF has defined it, doesn't mean it's operationally valid. The IETF tries, but sometimes misses the mark. Without this crutch, no BIND prior to 8.something would have worked (getting lost in reverse map queries) and the number of queries sent would have been much higher. 2) This is another case of DNSSEC exposing corner cases that DNS was able to live with. Like "* NS", until DNSSEC, these cases could exist without heartburn, but when push comes to shove in the "signed by the authorized party" era, we find that these cases exist. ("* DNAME" isn't in this category for other reasons, even in non DNSSEC is causes heartburn. Sorry - that's a different discussion on another list.) I may be painting this scenario in an unfair light calling it a "corner case" but it qualifies because this is "ersatz caching." It works now because as long as the host objects are in line with what's really in DNS, it's okay. Problems don't pop up until the DNS is changed and the registration isn't. This will happen when the zone gets signed. Retrieval of the RRSIG's for all registered host objects is probably not going to happen. I'm sure there is a way "out" of this. For one, without DNSSEC, the answer coming from a non-authoritative server is lower in credibility than an answer from an authoritative one. Perhaps a validator can recognize hybrid answers and realize not to "panic" when it lacks the RRSIG, instead "following" the referral half of the message. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.