At Mon, 22 Aug 2016 21:57:12 +0000, "Wessels, Duane" <[email protected]> wrote:
> > - Section 5.3 > > > > Unless the zone operator has intentionally added > > "_ta-xxxx" records to the zone, the server MUST generate an NXDOMAIN > > response. > > > > Perhaps a pedantic comment, but I suspect this is not 100% accurate > > in that it could legitimately result in other response than > > NXDOMAIN, [...] > > I can be convinced either to keep it or to leave it. My rationale for > that sentence is to state that a server should not have some built-in logic > that determines the response to these types of queries. The response code > should be determined by whether or not they are in the zone file (or as you > say > covered by wildcard). Okay, I see the point. In that case I'd state that point more specifically rather than through one such case of NXDOMAIN, but I'd leave it to you. > > - Section 5.3.1 > > > > When the response code for a key tag query is NXDOMAIN, DNS resolvers > > that implement aggressive negative caching will send fewer key tag > > queries than resolvers that do not implement it. > > > > In the context of the interaction with nsec-aggressiveuse, I think > > this should be more generalized than the response to a key tag query > > itself, e.g.: > > > > When a query results in an NXDOMAIN response with NSEC or NSEC3 > > that covers the name of a key tag query, DNS resolvers that > > implement aggressive negative caching will send fewer key tag > > queries than resolvers that do not implement it. > > IMO your version adds a little unnecessary complexity to the sentence, while > making the same point. I don't think these two are exactly the same, but I won't insist on the generalized text. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
