Warren Kumari <war...@kumari.net> wrote: > > > > > Wildcards > > > > Should the box in section 7 say "positive responses" instead of "negative > > responses"? > > > > If so, there should probably also be a cross-ref to RFC 4035 section 5.3.4 > > and RFC 5155 section 8.8 which both discuss validating positive wildcard > > responses. Similar to my suggestions for 5.1 and 5.2 above. I can provide > > text if you want. > > NOT DONE. > Yes please. That would be awesome!
Thinking about wildcards makes me wonder if we need to approach this whole idea from two directions - firstly, how the validator proves to itself that it can synthesize a negative response or a wildcard response; and secondly, how it can prove that it did the right thing to a downstream validator. At the moment the draft talks about the first aspect, but not very much the second. Specifically, Should we treat synthesis as if the cache is pretending to be an authoritative server? e.g. for wildcards and NSEC3, something like, When synthesizing a wildcard response from its cache, the validating resolver MUST include all the records specified in RFC 5155 section 7.2.5 (for negative responses) or section 7.2.6 (for positive responses). That is, it MUST generate a response that matches what an authoritative server would send. If the required records are not present in the cache, the resolver SHALL query upstream instead of synthesizing the response. If this makes sense then the other cases should be adjusted to describe things in a similar way, e.g. referring to section 7 of RFC 5155 instead of (or as well as?) section 8, and section 3.1 instead of / as well as section 5 of RFC 4035. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Plymouth, Biscay: Northeast 4 or 5, backing southeast 5 or 6. Slight or moderate. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop