On Wed, Feb 26, 2014 at 07:09:57PM +0000, Wiley, Glen wrote:
> An application using the getdns api can decide how it will take advantage
> of the system files - for example whether it wants to use a search option
> which is an improvement over the current approach in which applications
> are not aware of whether a suffix was appended to a query.
The write-up on Paul's site does not specify how suffix appending
interacts with DNSSEC. Is that writted down somewhere?
I think that applications should studiously avoid mixing the two,
but they may need to be warned, or at least the interaction of the
two needs to be documented.
In particular, after an insecure denial of existence (or after any
lookup failure, such as a timeout, SERVFAIL, ...) of a suffixed
name, all subsequent lookups with other suffixes, or with no suffix,
must be deemed insecure.
How do suffixed looks handle lookup errors for a suffixed name? Does
the query fail at that point, or does it continue with any remaining
suffixes or bare name?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
