On Apr 14, 2019, at 11:13 AM, John R Levine <[email protected]> wrote: > Although it is legal to put an additional section in an NXDOMAIN response, > it's uncommon and I don't know how the bailiwick checks would work.
We already do something like this when looking for the zone apex, and it potentially has the same problem. If I look for the zone apex of a nonexistent name under a zone that does exist, I’ll get back an SOA record in the authority section. How do I know that that’s the real zone apex? If I look up a.b.c.d.example.com and get back an SOA for example.com, how do I know that there is no SOA for c.d.example.com? The answer is that I don’t, without validating the answer. And that requires traversing the trust anchors to the root, so as you say, this doesn’t save any work. Clearly, this validation should be done—we shouldn’t just assume that what’s in the additional section is correct. I think that this means that in the case of a query with DNSSEC enabled, the additional section should contain as much of the chain of trust as will fit, in the order the client resolver can be expected to need it. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
