On Sat, Jun 23, 2018 at 07:43:19PM -0700, Joe Abley wrote: > I think a pragmatic solution needs to work in unsigned zones.
+1, but, an unsigned zone could still return an NSEC-style bitmap. It wouldn't be provably correct, but neither is any other unsigned response. You could actually add the bitmap to the XNAME rdata, instead of returning an NSEC. The XNAME could then mean "alias to <name> for any rrtype not in <bitmap>". Or you could turn it around, and have it mean "alias to <name> for any rrtype that IS in <bitmap>". Then you could have multiple XNAME records with different bitmaps, and forward different types to different names. That's kind of cool, but I suspect the benefits are outweighed by the camel burden. In any case, I don't understand how XNAME avoids the "ANAME kludges". Legacy resolvers won't know what to do with XNAME, so all the same workarounds on the auth side still must be implemented. Possibly even more of them, since XNAME responses might need to include answers for lots of different rrtypes, while ANAME is explicitly limited to A and AAAA. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
