On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote: > 1. Return an unsigned response. This will be marked as bogus, and > trigger a QTYPE=HINFO re-query that will either return an actual signed > HINFO from the zone or a signed proof of non-existence. We think. I > haven't actually tested that a re-query will happen, but Olafur is > confident. :-)
I haven't tested it either, but that is not what I would expect. If the resolver gets a bogus response to a query of type ANY, I would expect it to try the same query at another name server, until it had exhausted all authoritative name servers, and then reply with SERVFAIL. > 2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the > edge authority servers needing access to a signing key). Pre-signing essentially reduces to adding an empty HINFO to every node in every zone, then using the pick-one-RRset method, but ensuring that HINFO is always selected first. > That is true. However, one of the use-cases for this approach is a > nameserver for which a search for records present at a particular owner > name (as would normally be performed when responding to an ANY query) is > expensive. It's not at all obvious to me that this is cheaper. With either method, you have to search down through the zone to find out whether the node exists (otherwise you'd be returning NXDOMAIN, rather than a minimized response). Since you're doing that search anyway, choosing an RRset to return is pretty cheap. And actually, you really *should* also look through the RRsets at the node to make sure there isn't a non-empty HINFO record before you synthesize an empty one, and if you're doing *that* anyway, choosing an RRset wouldn't cost any more and could well cost less. Assuming we aren't considering the possibility of native HINFO records, I agree that synthesizing an unsigned HINFO would be little quicker than pulling an RRset out of the node, but not *so* much quicker as to seem obviously worthwhile. And for signed zones, synthesizing a signed HINFO would almost certainly be slower, while returning a pre-signed HINFO would be no faster than choosing an RRset. The disadvantages of pick-one-RRset that I can see are 1) more information leaked (but nothing that couldn't be obtained by sending queries for individual qtypes anyway), and 2) modestly larger response size (but still a lot better than unminimized ANY responses). Perhaps both approaches should be described in the draft. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
