Chris, Just wanted to add that there is no NSEC record type 0x2F in the Avahi definitions (defs.h) so it is not aware of it. (How it would handle a received NSEC record is not something I tested.)
As for your question: > ie. If avahi receives an additional record of type NSEC asserting the non-existence of AAAA addresses, will it stop querying for AAAA? "Stopping the querying for AAAA" here only is worth the effort in case the Avahi host was sending out separate A/AAAA queries. As Petr mentioned, this is in any case not optimal and the Avahi host should rather send multi-question query A/AAAA or the ANY query for the hostname. So it would not be worth the effort probably to add such a feature. In any case the "stop querying" would only be for a limited time. Since NSEC is only sent by a host in a very particular scenario where one of its interfaces (IPv4/v6) is temporarily down , and the NSEC record has a TTL saying for how long this situation will occur, the Avahi host is supposed to resume again the querying for the non-existent record type roughly after 80% of the NSEC TTL has passed. And the recommended TTL for (NSEC) hostname records is 120 seconds. See also https://www.rfc-editor.org/rfc/rfc6762.html#section-20 to understand why the NSEC case is rare. So Avahi should be able to handle a received NSEC record for sure ('not crash' being the minimum requirement :) ) but to do anything smart based on it seems like it could be optimizing for a corner case. regards Esko -----Original Message----- From: avahi <avahi-boun...@lists.freedesktop.org> On Behalf Of Petr Menšík Sent: Tuesday, January 17, 2023 19:39 To: avahi@lists.freedesktop.org Subject: Re: [avahi] Question on NSEC Support Hi, I doubt outgoing DNS queries have EDNS with DO bit set. Therefore they do not receive NSEC(3) records via unicast DNS. But you asked for multicast queries only I guess. I can tell for nss-mdns plugin, because I have seen those parts recently. They will not skip AAAA queries in reaction to anything. I am confident NSEC record would not change anything. I think it makes sense to query addresses using ANY query, which is defined to return all records always on MDNS. That might deliver AAAA addresses just after query on IPv4. I think at least nss-mdns resolution of both A+AAAA (mdns_minimal or mdns plugins) needs some change anyway. When the name is not found, it currently waits 2*5s sequentially for each address family. It changes one ANY query from libc to two separate queries. That is not what we want. We should make avahi-daemon query for both addresses from single request. Now it responds to IPv4 and IPv6 separately, but does not track their relation on side of daemon. That I think means NSEC is not handled at the moment and would require non-trivial effort. Not sure we have also negative cache, where could NSEC record insert bits for other records than just queried. Then following query could be answered right away even without more complicated bundled query support. Regards, Petr On 1/12/23 22:01, Chris Schroll wrote: > Hi, > > Does avahi process NSEC records types? RFC 6762 sections 6.1 and 6.2 > refer to Negative Responses. > > ie. If avahi receives an additional record of type NSEC asserting the > non-existence of AAAA addresses, will it stop querying for AAAA? > > Thanks! > Chris -- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
