At 15:55 +0000 6/7/05, bmanning@vacation.karoshi.com wrote:
On Tue, Jun 07, 2005 at 11:50:39AM -0400, Edward Lewis wrote:
At 15:47 +0000 6/7/05, bmanning@vacation.karoshi.com wrote:
just for grins... how would DNSSEC "bend" around this supporting girder (or crutch if you prefer).
Having to know not to give up when seeing an unsigned answer coming from a cache, treating this as a referral message and not a bogus
so... get back the unsigned rrset (glue) - then treat as a referal & attempt to validate down its delegation chain...???
A validator would need to know to do this. Look at the reply to the dig I suggested. Is it a reply? Is it a referral? If I recall correctly, BIND treats it as a reply and ceases the iteration, caching the answer as a less credible piece of data than had the AA bit been turned on. My point is, if the resolver sees this and judges it to be a reply, instead of tossing it and trying the query again the resolver needs to slip this into the "it's a referral" queue. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.