Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01.
https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/
* Added reference to DLV {{RFC5074}} and imported some sentences.
* Added Aggressive Negative Caching Flag idea.
* Added detailed algorithms in Appendix.
Please check and comment.
I made a mistake at detailed algorithm part in -01.
I added updated version in this mail and I will update the draft.
NSEC3 validation is difficult for me.
Please check this algorithm.
And where is the pseudo code writing guide ?
~~~~~~~~~~~
QNAME = the query name;
if (QNAME name entry exists in the cache) {
resolve the query as usual;
// if RRSet (query name and query type) exists in the cache,
// the resolver responds the RRSet from the cache
// Otherwise, the resolver needs to iterate the query.
}
// Find closest enclosing NS RRset in the cache.
// The owner of this NS RRset will be a suffix of the QNAME
// - the longest suffix of any NS RRset in the cache.
SIGNER = closest enclosing NS RRSet of QNAME in the cache;
if (SIGNER zone does not have a special NSEC/NSEC3 data structure) {
Resolve the query as usual;
}
if (SIGNER zone is not signed or not validated) {
Resolve the query as usual;
}
if (SIGNER zone is signed with NSEC) {
// NSEC mode
if (covering NSEC RR of QNAME at SIGNER zone
doesn't exist in the cache) {
Resolve the query as usual.
}
TEST = Find the longest existing domain name of QNAME
from the covering NSEC RR;
if (*.TEST name entry exists in the cache) {
the resolver can generate positive response
or resolve the query as usual;
}
if covering NSEC RR of "*.TEST" at SIGNER zone exists
in the cache {
the resolver can generate negative response;
}
// Lack of information, need to resolve the query as usual
} else
if (SIGNER zone is signed with NSEC3 and does not use Opt-Out) {
// NSEC3 mode
TEST = SIGNER;
while (TEST != QNAME) {
// if any error happens in this loop, break this loop
UPPER = TEST;
add a label from the QNAME to the start of TEST;
// TEST = label.UPPER
if (TEST name entry exist in the cache) {
continue; // need to check rest of QNAME
}
if (covering NSEC3 of TEST exist in the cache) {
// (non-)terminal name TEST does not exist
if (*.UPPER name entry exist in the cache) {
// TEST does not exist and *.UPPER exist
the resolver can generate positive response;
} else
if (covering NSEC3 of *.UPPER exist in the cache) {
// TEST does not exist and *.UPPER does not exist
the resolver can generate negative response;
}
break; // Lack of information
} else
if (NSEC3 of TEST does not exist in the cache) {
break; // Lack of information
}
// TEST label exist, then need to check rest of QNAME
}
// Lack of information, need to resolve the query as usual
}
Resolve the query as usual
~~~~~~~~~~~
--
Kazunori Fujiwara, JPRS <[email protected]>
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
