A further thought... My too-clever (not clever enough?) hack can cause problems downstream, if you have
1. auth (DNSSEC) -> 2. cache (DNSSEC) -> 3. cache (insecure) -> 4. resolver 3 sends a DO=0 ANY query to 2 2 sends a DO=1 version of the query to 1 1 does ANY minimization and responds with a signed NSEC (and nothing else) 2 does not know about ANY minimization What does 2 return to 3? It can't send a signed NSEC because DO=0. If 2 returns noerror/nodata then 3 will cache this (for all RRtypes) and will fail to forward subsequent queries from 4 for other RRtypes. If 1 uses Evan's ANY minimization then 2 will be able to safely drop any DNSSEC rubric when passing the response to 3, without implying there are no records at the QNAME. So 3's cache entry will not suppress queries for other RRtypes. To summarize: one constraint on a minimal ANY response is that if there are non-DNSSEC records at the QNAME then the answer must include at least one of them, that is, it must not look like a NODATA response. Another way of saying this is that you can't just translate an ANY query into a query for a fixed RRtype: as Evan said, you have to look at the data at the QNAME so you can pick one of the existing RRsets and return that. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fair Isle, Faeroes: Southeast becoming cyclonic 6 to gale 8, occasionally severe gale 9 in Faeroes, becoming west 4 or 5 later. Moderate or rough, becoming very rough for a time. Rain or showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
