Ben Schwartz <[email protected]> writes:

> * The response can say "yes, but here are the new TTLs".

So, the TTL value is unlikely to change right?  It's the DNSSEC
signature lifetimes that become the limiting factor.  That's the real
crux: we have two different time lengths: shorter TTLs and longer
signatures (typically).  And they're often extremely different (5
minutes vs a full week).  The point of both the NN bit and LARGE record
is to say "even though you're beyond the TTL, as long as you're before
the signature expiration you're good to go".

> * No LARGE.  The client can embed a hash of the previous response
> (excluding TTLs), and the sender can truncate the response if the hash
> matches.  This allows a stateless server implementation, allows
> resolvers to participate even if the auth server does not, and ensures
> that the response size never increases.

Note that the draft already allows for a stateless server and
specifically says that the serial number can be chosen based on
server-side criteria which may or may not include some stateless
calculation.  EG, for a DNSKEY there is no reason that it can't simply
be one of the keyids (or the sum of them or ...) as long as you have
already been assuring you don't duplicate them, which we've learned
recently is a bad thing to anyway.

So even a hash of some kind on the server side allows it to be stateless.

-- 
Wes Hardaker
Google

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to