Hi all,
while still struggling with the basic ANAME processing (as described in my other
mail), I wondered whether with DNSSEC, an authoritative name server MAY, SHOULD
or MUST prove the non-existence of an ANAME record when it receives an A or AAAA
query and no sibling ANAME record exists for the delivered address records.
My personal opinion is that there is no big harm if a man-in-the-middle silently
removes the ANAME record from the response, as the returned address records
should still point to some valid hosts, so I would not include it. In the case
that there are neither address records nor an ANAME, the NSEC/NSEC3 record which
covers the non-existing address record would also cover the ANAME, so this case
is not a problem at all.
Nevertheless, I wanted to bring this to your attention just in case that you
haven't considered that already (it is not clear from the spec that you did).
Regards,
Klaus
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
