On Thu, 5 May 2005, Roy Arends wrote:
On Thu, 5 May 2005, Edward Lewis wrote:
There's an item on the agenda that I'd like to potentially add to...
<snip>
The third is a query to .net, and you get back a hybrid answer...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8051 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 8 ;; QUESTION SECTION: ;chia.arin.net. IN A ;; ANSWER SECTION: chia.arin.net. 172800 IN A 192.5.6.32 ;; AUTHORITY SECTION: the rest is a normal referral...
This is a good crutch - and is a counter to "in-baliwick" server requirements. This crutch comes at a price though - the A record here is obtained from the host objects registered, not via DNS. (It looks like a cached answer, but it's not really.)
That's all good, no "flash point problem."
Until we get to DNSSEC though. This answer will be RRSIG-less. I suspect that this might become an issue. Maybe?
It will become an issue, unless resolvers understand that referrals with glue in answer section are exactly that: referrals, and not answers.
Might be a topic for ietf dnsop or dnsext: Convince authoritative name server vendors to put glue where glue belongs: additional section. There is also the problem of combined server-resolver installations, that have out-of-bailiwick glue cached, and respond with that glue in the answer section. Roy