As I understand it, your design depends on putting NXDOMAIN signals
in the additional section to show that there aren't any boundaries
between the names it returns. How do you plan to do that?
John, I don't understand your note.
In draft-dcrocker-dns-perimeter-00, it says this:
Another approach is use of the DNS Additional section in the server
response. When there is a query for a Perimeter node, the server
would include the associated Perimeter BEGIN record from earlier in
the hierarchy, if the queried node is within that hierarchy -- that
is, is above the actual or virtual END record.
If you asked for _perim.a.b.c.example.com, and the perimeter is actually
at "c", there, you hope that modified DNS servers will return NXDOMAIN and
in the additional section add _perim.c.example.com. But since the
additional section info is just advisory, that doesn't tell you anything
about _perim.b.c.example.com, which might exist or might not. To avoid
doing a tree walk, you'd need a signal that _perim.b.c.example.com does
not exist, and there's no way to do that in an additional section.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc