[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

At 9:20 PM +0200 11/28/07, Andreas Gustafsson wrote:

Edward Lewis wrote:

 >Isn't this already required by RFC2308 section 3?

 I don't think so.  That only covers authoritative servers.


For caching servers, there is section 6:

  6 - Negative answers from the cache

     When a server, in answering a query, encounters a cached negative
     response it MUST add the cached SOA record to the authority section
     of the response with the TTL decremented by the amount of time it was
     stored in the cache.  This allows the NXDOMAIN / NODATA response to
     time out correctly.

I find it somewhat confusing that Wouter's original proposed text
talks about "servers that serve DNSSEC signed zones", which I would
interpret as referring to authoritative servers, and then presents an
example involving a response from a caching server.  But in any case,
RFC2308 does seem to already cover both cases.
--
Andreas Gustafsson, gson@araneus.fi
Ok, but I still think we ought to reinforce the "don't include the NS set" in negative answers.
Other than the legacy requirement, is there a need to have the SOA? I mean, does it contain some information that is needed? (Do we also need to prove it is the right SOA?) 
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>