On Wed, Mar 15, 2023 at 2:01 AM Ralf Weber <[email protected]> wrote: > Moin! > > On 14 Mar 2023, at 22:57, John R Levine wrote: > > >> John it won’t work with chained validators. > > > > How about if I only send a "lie to me" option upstream if I get one from > my client? I realize this means takeup will be pretty slow. > > Clients have no control over what a resolver does upstream, EDNS0 is hop > by hop and we don’t have good track record of singling anything in DNS. > What you want is really not doable with EDNS0 IMHO, as we have that > spaghetti as Geoff Houston always says that is DNS and unfortunately has > chains of resolvers before getting to any auth. > > So long > -Ralf > ——- > Ralf Weber >
Precisely, but it can still work if the signal is used in a hop by hop fashion. So, if a resolver sends EDNS CompactAnswersOK signal to an authority server, which returns a NODATA+NXNAME proof + RCODE=3 response, then the resolver would have to intelligently manage that answer in its cache. To downstream DO=1 queriers that also set CompactAnswersOK, it could return that answer as is. To those that don't, it would have to reset the RCODE to NOERROR. This imposes more complexity on the resolver implementation of course, but I don't see any reason why it wouldn't work - and it would be optional anyway. Clients that want to see the NXDOMAIN signal in the RCODE might push their resolver service to implement it. Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
