This note is a consolidation of several messages to the IETF DNSOP working group last week.
The principal motivation for not answering ANY queries is to allow for simplified implementations which do not need to enumerate all the data at a particular QNAME. This note also covers RRSIG queries, because they need essentially the same enumeration mechanism as ANY queries; the difference between an ANY and an RRSIG response is the non-RRSIG records are omitted from the latter. The aim of this suggestion is to provide answers that will satisfy the client without harming interoperability, although you do lose a debugging tool. Error responses (such as NOTIMP or REFUSED) make clients retry at other servers, which is undesirable. NOERROR / NODATA responses are cached in a way that causes queries for other RRtypes to get erroneous NODATA responses. 1. When the server is authoritative for the QNAME's zone. Respond as if the QTYPE had been CNAME. That is, provide a CNAME answer if the QNAME is a CNAME, or provide a NOERROR / NODATA response if other types are present at the QNAME. This applies to wildcard matching too. If the response would be NOERROR / NODATA and the zone is not signed, synthesize a NULL RR and use that as the answer. If the QTYPE was RRSIG, drop non-RRSIG records from the answer. 2. When the server is answering from cache. If there is a cache entry for the QNAME, respond as in point 1. Otherwise, if RD=0, respond in the standard manner (with the best available referral). Otherwise, if RD=1, make a query upstream with QTYPE=CNAME, then respond as in point 1. Comment. This is simpler than I expected it to be. I started doing a case analysis -- zone is unsigned or signed with NSEC or NSEC3, QNAME is a CNAME or isn't, recursion or not, etc. -- but the way to handle each case turned out to be very similar. The key insight came from saying, respond with a CNAME answer if there is one, or respond with NOERROR / NODATA - which is exactly the response you would give to a CNAME query. This leads to the suggestion of turning ANY queries into CNAME queries when recursing. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Northwest Southeast Iceland: Southwesterly 5 to 7, occasionally gale 8, becoming variable, mainly northeasterly 4. Very rough or high, becoming rough later. Occasional rain. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
