A problem is that, because of possible complex delegation loop, relays can not judge whether some glue is "necessary" or not. Administators of authoritative nameservers can. So, relay implementations must be careful to cache answers including glue to be able to reproduce the original answers (there is additional complexity w.r.t. TTL, of course).
This is very true.
In the development of DNSSEC we have haggled over whether or not an authoritative server ought to emit data it thought cryptographically invalid based on either the mathematics or temporal restrictions. In summary, we learned that we ought never allow a name server to edit a zone. As far as mathematically invalid - the question ranged from a server not being able to access all of the keys on start (example.com doesn't find .com during load) and a server with a lot of data would waste a lot of time loading if it checked all signatures. As far as temporal - a signature may be valid on load but expire before the zone is refreshed.
Another point to keep in mind is that the more DNS "internally" (meaning the servers, both authoritative and recursive) edits the data send, the more opaque it gets. We lost the end-to-end-ness, which is bad for debugging and makes things like NAT not work. (Like them or not, it should not be a goal to make them break. Yes, NAT is a larger issue, my point is that DNS should stick to simplicity to not obviate unforseen future advances.
Getting back to Ohta-san's point, servers are not policy wonks. Policy is up to the administrators and the applications. They are the end-to-end masters of the DNS, not the servers in between.
PS - I've been tracing the steps one implementation takes in chasing glue. It asks for A and AAAA at each step (at one time A6 too), also using EDNS0. The result is four queries to non-EDNS servers to get possibly one address record. Wasteful - but, what's the alternative? If the implementation only chased A's until it found the name and then looked for AAAA, that hurts V6. There's no way of telling if, at any moment, a query will be answered by data, negation, or a referral. So, asking for all simultaneously is the only rational "in self-interest" strategy.
PPS - Glue is a stickier issue than we realize. Watch a few packet traces just for fun.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
History repeats, therefore my life is a rerun. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
