In message <[email protected]>, Philip Homburg writes: > >Yes, ANC breaks using the DNS for Internet reachability testing. > > > >Named has code to return zero TTLs on negative answers to SOA queries > >to avoid polluting caches with NXDOMAIN results when searching for > >zone cuts. Nsupdate and similar tools need to be able to find the > >containing zone of names that are about to be added and cached > >NXDOMAIN responses are a right-royal-pain-in-the-butt if you want > >to lookup the name just after you have added it to the DNS. > > Did you ever consider making this work assuming more aggressive negative > caching?
It requires caches to not do ANC for SOA lookups or for there to be a explict option to not do ANC. Searching for containing zone is just a real life example of the impact of getting a NXDOMAIN when you don't want it as a side effect of something else. > It seems to me that deploying code under the assumption of only limited > caching of negative results is a good way to block all kinds of future > work, or alternatively, you may be in for a lot of pain if other people > decide that negative caching is more important. ANC was deliberatedly decided against when DNSSEC was being developed to avoid all of these issues. DNSSEC secured the DNS, it did not change the semantics of the lookups. ANC changes the semantics of the DNS. > For example, if you are about to add foo.example.com and you want to find > the zone cut, then looking up $DOES_NOT_EXIST.example.com will give you > the zone cut without revealing anything about 'foo'. No it doesn't. The zone cut may be foo.example.com. You can't avoid making a query for foo.example.com. Looking for $DOES_NOT_EXIST.example.com does not tell you which zone contains foo.example.com. > If you want to test something, create a zone that is designed to be tested, > for example, one with low ttls everywhere. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
