Robert Elz writes:
> I keep getting told that the load on the servers for the big zones
> (COM especially of course) would simply be too much
In fact, those servers provided glue for all NS records until recently,
and they still provide glue for the vast majority of NS records.
How do they avoid the efficiency problems? Easy: the glue is pushed to
the servers by the registrants, rather than being pulled.
> The NS and A records are likely to have different TTLs, and one expire
> before the other.
The TTL on the combination is the minimum, of course. This doesn't make
a big difference in cacheability; see my analysis of MX records. (In
fact, the TTLs are typically the same.)
> the SIG that accompanies the A record would have been fetched by the
> server from the auth server for the A record,
Excuse me? A moment ago you didn't want to generate extra queries. You
wanted to use the out-of-bailiwick glue. I'm explaining how to make that
happen without allowing caches to be poisoned.
The SIG semantics don't have to be modified. When the server copies the
A record, it can also move it into its own zone, sign it, and change the
NS record accordingly.
Of course, this is functionally identical to signing an NS record that
contains an IP address. You have to do a lot more parsing, and check
more signatures, but the end result is the same.
> this has slipped rather far away from issues directly
> relating to A6 records.
No. The issues are exactly the same.
---Dan
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
