Mark Andrews wrote on 2022-04-07 17:21:
On 8 Apr 2022, at 09:12, Paul Vixie
<[email protected]> wrote: ...
wildcard synthesis should always have been resolver-side. now we
live like this. a zero-length EDNS option with a name like REALWILD
that asked the authority server to include *.example.com as an
answer's owner name (rather than www.example.com by synthesis) is
probably the way out of this hell.
Wildcard synthesis in the resolver only works if you have NSEC/NSEC3
records (or the equivalent) that shows the non-existence of the QNAME
otherwise the resolver would replace explicit data with synthesised
data. Real wildcard + covering NSEC/NSEC3 range would work. Getting
rid of OPTOUT would also help as you can’t synthesise using an
OPTOUT NSEC3 record. Zone operators can turn off OPTOUT today.
a feature that only works with dnssec sounds good to me.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
