Ben Schwartz <[email protected]> writes: > * The response can say "yes, but here are the new TTLs".
So, the TTL value is unlikely to change right? It's the DNSSEC signature lifetimes that become the limiting factor. That's the real crux: we have two different time lengths: shorter TTLs and longer signatures (typically). And they're often extremely different (5 minutes vs a full week). The point of both the NN bit and LARGE record is to say "even though you're beyond the TTL, as long as you're before the signature expiration you're good to go". > * No LARGE. The client can embed a hash of the previous response > (excluding TTLs), and the sender can truncate the response if the hash > matches. This allows a stateless server implementation, allows > resolvers to participate even if the auth server does not, and ensures > that the response size never increases. Note that the draft already allows for a stateless server and specifically says that the serial number can be chosen based on server-side criteria which may or may not include some stateless calculation. EG, for a DNSKEY there is no reason that it can't simply be one of the keyids (or the sum of them or ...) as long as you have already been assuring you don't duplicate them, which we've learned recently is a bad thing to anyway. So even a hash of some kind on the server side allows it to be stateless. -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
