On Tue, Jun 11, 2019 at 10:31:55AM +0200, Matthijs Mekking wrote: > The main argument for putting it in the answer section is that putting > it in the additional section implies a lower trust level, and that the > record is optional and can be removed when minimizing responses.
I'm inclined to favor this argument (probably unsurprisingly, since I'm the one who argued it). IMHO, the ANAME is the real answer we're sending; the A and AAAA records are just friendly hand-holding for legacy servers. It doesn't make sense to me to demote the real answer into the additional section, any more than it would have to move DNAME there. The protocol specificaions are clear on this point - the more so considering we've already deployed DNAME - and my sympathies for an implementation that got it wrong would be limited. That said, if any resolver implementations are known to choke if they see an unexpected extra RRset in the answer section, it would be good to find out about it. I guess we should do some testing. Hm, stub resolvers might be stupider than full resolvers. Perhaps it would be useful to differentiate RD=0 and RD=1? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
