> First of all, it is apparent that if a resolver maintains a unified cache in > which it has DNSSEC-aware and DNSSEC-oblivious data, things will definitely > break. The general wisdom appears to be that you need to maintain two > caches, and only answer DO-set queries with DO-set cache (or go fetch); but > if there's ever been explicit protocol requirement of this, I have forgotten > it.
Sorry, but I think this is just an over-reach. There is no necessary reason for a single information model to break. It is about how you do it. The problem of course is transitive links in the tree from one state (signed) to the other (unsigned) and back again, and associated meta data. Arguably, its one information model, one cache, but the DO bit flagging limits what answers you can tell people and you have to reply with SERVFAIL for information you hold, even though you know the next query might well be for the same info without DO force. It may well be logistically simpler to run two caches, but this statement seems to me to be over-stating things. G _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
