Dear all,This updated version of the Delegation Revalidation by DNS Resolvers draft has the review feedback from Duane Wessels addressed. More specifically:
* The abstract is corrected to mention that the idea is to revalidate "at the expiration of the TTL of either the parent or child NS RRset, whichever comes first." * The terminology section is extended with terms used in the draft, such as "triggering query" * Replaced many occurrences of the word "will" with MUST, MAY and SHOULD. * A requirement to cache failed validating queries is added, referencing RFC9520 * "Upgrading A and AAAA RRset Credibility" is now a section on its own with "Upgrading glue" and "Upgrading additional address from authoritative NS responses" as subsections. Similarly "Strict and opportunistic revalidation" is now a section on its own with "Strict" and "Opportunistic" revalidation as subsections. * The possibility to keep non-authoritative "glue" addresses for fallback purposes is now mentioned earlier on in the draft. * We specify more clearly what we mean by responding "incorrectly" to an validating NS query. * Reordered the paragraph about caching additional addresses to talk about the DNSSEC case first. * Mention traffic increase and that resolvers SHOULD take care to limit the amount of work they are willing to do to resolve a query to a sensible amount. With that, we believe the draft is ready for working group last call. Op 27-02-2025 om 15:39 schreef [email protected]:
Internet-Draft draft-ietf-dnsop-ns-revalidation-09.txt is now available. It is
a work item of the Domain Name System Operations (DNSOP) WG of the IETF.
Title: Delegation Revalidation by DNS Resolvers
Authors: Shumon Huque
Paul Vixie
Willem Toorop
Name: draft-ietf-dnsop-ns-revalidation-09.txt
Pages: 15
Dates: 2025-02-27
Abstract:
This document recommends improved DNS resolver behavior with respect
to the processing of Name Server (NS) resource record (RR) sets
(RRsets) during iterative resolution. When following a referral
response from an authoritative server to a child zone, DNS resolvers
should explicitly query the authoritative NS RRset at the apex of the
child zone and cache this in preference to the NS RRset on the parent
side of the zone cut. The (A and AAAA) address RRsets in the
additional section from referral responses and authoritative NS
answers for the names of the NS RRset, should similarly be re-queried
and used to replace the entries with the lower trustworthiness
ranking in cache. Resolvers should also periodically revalidate the
delegation by re-querying the parent zone at the expiration of the
TTL of either the parent or child NS RRset, whichever comes first.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/
There is also an HTMLized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-09
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-09
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
DNSOP mailing list [email protected]
To unsubscribe send an email [email protected]
OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
