[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Subject: Re: dnssec-updates text, include SOA in negative answers
From: Edward Lewis <Ed.Lewis@neustar.biz>
Date: Wed, 28 Nov 2007 13:48:32 -0500
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, Namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <474D92A3.80807@nlnetlabs.nl>
References: <474D5989.7000405@nlnetlabs.nl> <a06230900c3731f7bedc1@[192.168.1.101]> <474D7FF6.5030005@nlnetlabs.nl> <a06230900c373357fe413@[192.168.1.101]> <474D92A3.80807@nlnetlabs.nl>

Title: Re: dnssec-updates text, include SOA in negative answers

At 5:09 PM +0100 11/28/07, W.C.A. Wijngaards wrote:

>particular types, and so on. The outcome of these checks, taken together
>with the proof question, result in a security status. The security
>status is not determinable without determining as well whether the

>message is a referral or a negative (or something else).

Okay, I thought you meant something else.

It's necessary to understand the unchecked message before knowing "what to solve for." So, it's plain to say that a message has to be unambiguous in meaning.

So returning to the original suggestion to include the SOA, I think (as already stated) that would be the wrong step. We should stick with the suggestion in RFC 2308 to only send Type 2 negative responses (see the RFC for what Type 2 means) and just amplify that under DNSSEC.

I would think that we should recommend that a NXDOMAIN never include NS records. That goes for caches that are not required to include the SOA as well as authoritative servers. But - perhaps it is needed to help decide the RFC 2181 trustworthiness of the data? Maybe not, if we can trust the AA bit.

From RFC 2181:

# Trustworthiness shall be, in order from most to least:
#
#     + Data from a primary zone file, other than glue data,
#     + Data from a zone transfer, other than glue,
#     + The authoritative data included in the answer section of an
#       authoritative reply.
#     + Data from the authority section of an authoritative answer,
#     + Glue from a primary zone, or glue from a zone transfer,
#     + Data from the answer section of a non-authoritative answer, and
#       non-authoritative data from the answer section of authoritative
#       answers,
#     + Additional information from an authoritative answer,
#       Data from the authority section of a non-authoritative answer,
#       Additional information from non-authoritative answers.

Then again, under DNSSEC, trustworthiness has less impact.

--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar

Think glocally. Act confused.

References:
- dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

Prev by Date: Re: dnssec-updates text, include SOA in negative answers
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: Re: dnssec-updates text, include SOA in negative answers
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread