Hi,
I doubt outgoing DNS queries have EDNS with DO bit set. Therefore they
do not receive NSEC(3) records via unicast DNS. But you asked for
multicast queries only I guess.
I can tell for nss-mdns plugin, because I have seen those parts
recently. They will not skip AAAA queries in reaction to anything. I am
confident NSEC record would not change anything. I think it makes sense
to query addresses using ANY query, which is defined to return all
records always on MDNS. That might deliver AAAA addresses just after
query on IPv4.
I think at least nss-mdns resolution of both A+AAAA (mdns_minimal or
mdns plugins) needs some change anyway. When the name is not found, it
currently waits 2*5s sequentially for each address family. It changes
one ANY query from libc to two separate queries. That is not what we
want. We should make avahi-daemon query for both addresses from single
request. Now it responds to IPv4 and IPv6 separately, but does not track
their relation on side of daemon. That I think means NSEC is not handled
at the moment and would require non-trivial effort.
Not sure we have also negative cache, where could NSEC record insert
bits for other records than just queried. Then following query could be
answered right away even without more complicated bundled query support.
Regards,
Petr
On 1/12/23 22:01, Chris Schroll wrote:
Hi,
Does avahi process NSEC records types? RFC 6762 sections 6.1 and 6.2
refer to Negative Responses.
ie. If avahi receives an additional record of type NSEC asserting the
non-existence of AAAA addresses, will it stop querying for AAAA?
Thanks!
Chris
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
