In message <[email protected]>, "John Levine" writes: > >You could apply the technique to any signed zone where you are not > >worried about not having instant visibility after adding a new name > >to the zone. > > I don't understand this. If I ask for foo.example and get NXDOMAIN, > and 10 ms later you add a record at foo.example, my negative answer is > cached for your SOA TTL is. Using NSEC to synthesize responses > doesn't fundamentally change the situation, it just increases the set > of names that negative cache entries will cover and maybe changes the > time if the NSEC and SOA TTLs are different. Unless all of your TTLs > are zero, there's no such thing as a new name that's instantly visible > to every client.
For 99.999999999% of names you don't look them up unless you have a priori knowledge that the name exist. This means you don't have many NXDOMAIN records in a cache sans DoS attacks, prefixes to known names (e.g. TLSA for service) and Internet reachability tests using the DNS etc. Even with search lists you are looking for a known name with a set of suffixes. You are not looking for unknown names. ANC changes that. It effectively adds lots of NXDOMAIN records for stuff you don't have a priori knowledge of, for unknown names. Yes, ANC breaks using the DNS for Internet reachability testing. Named has code to return zero TTLs on negative answers to SOA queries to avoid polluting caches with NXDOMAIN results when searching for zone cuts. Nsupdate and similar tools need to be able to find the containing zone of names that are about to be added and cached NXDOMAIN responses are a right-royal-pain-in-the-butt if you want to lookup the name just after you have added it to the DNS. SOA and NS are the only two types that should exist in every zone and looking these up works even when the authoritative servers don't support negative caching. For UPDATE you need to do both SOA and NS lookups to work out where to send the UPDATE message to. You start with the name to be added/removed and query for a SOA record at that name, you keep stripping the left hand label until you get a positive answer or a negative answer with a SOA record. You then make a NS query for the owner of the SOA record. For completeness you could also start with NS lookups and then perform a SOA lookup with optimisations if you get a cachable negative response. Mark > If someone's going to argue that you carefully watch your query stream > and only add new names for which there hasn't been a NXDOMAIN query > within the appropriate interval from any of your DNS servers, I'll > believe it when I see it. > > R's, > John > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
