Warren Kumari <war...@kumari.net> wrote:
>
> >
> > Wildcards
> >
> > Should the box in section 7 say "positive responses" instead of "negative
> > responses"?
> >
> > If so, there should probably also be a cross-ref to RFC 4035 section 5.3.4
> > and RFC 5155 section 8.8 which both discuss validating positive wildcard
> > responses. Similar to my suggestions for 5.1 and 5.2 above. I can provide
> > text if you want.
>
> NOT DONE.
> Yes please. That would be awesome!
Thinking about wildcards makes me wonder if we need to approach this whole
idea from two directions - firstly, how the validator proves to itself
that it can synthesize a negative response or a wildcard response; and
secondly, how it can prove that it did the right thing to a downstream
validator. At the moment the draft talks about the first aspect, but not
very much the second.
Specifically,
Should we treat synthesis as if the cache is pretending to be an
authoritative server?
e.g. for wildcards and NSEC3, something like,
When synthesizing a wildcard response from its cache, the
validating resolver MUST include all the records specified in
RFC 5155 section 7.2.5 (for negative responses) or section 7.2.6
(for positive responses). That is, it MUST generate a response
that matches what an authoritative server would send. If the
required records are not present in the cache, the resolver SHALL
query upstream instead of synthesizing the response.
If this makes sense then the other cases should be adjusted to describe
things in a similar way, e.g. referring to section 7 of RFC 5155 instead
of (or as well as?) section 8, and section 3.1 instead of / as well as
section 5 of RFC 4035.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Plymouth, Biscay: Northeast 4 or 5, backing southeast 5 or 6. Slight or
moderate. Showers. Good.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
