To:
Slawomir Gruca <slawekgr@nask.pl>
Cc:
dnssec@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Thu, 15 May 2003 14:21:26 +0200
In-Reply-To:
<Pine.GSO.4.55.0305151100500.5865@boromir>
Sender:
owner-dnssec@cafax.se
Subject:
Re: NXT issues
At 11:07 +0200 5/15/03, Slawomir Gruca wrote:
>Hi all,
>
>There are a few things that bother me regarding the NTX record. Firstly,
>does anyone need to know what is in the 'next domain field' of the RDATA
>section of NXT for authentication of non-existent name? Am I wrong saying
>that it's not necessary? Just the name of the record should be enough for
>verification of the name.
It is very necessary. A document is in preparation by myself and Bob
Halley to state why in excruciating detail. ;)
For now see:
http://www.ietf.org/internet-drafts/draft-lewis-dns-wildcard-clarify-00.txt
...which is my initial individual document
and
http://ops.ietf.org/lists/namedroppers/namedroppers.2003/msg01038.html
...which is Bob's addition
The two are being merged into a DNSEXT document.
>It is only a hypothetical situation, since it's obvious that the server
>just has to return the whole NXT (otherwise it couldn.t be verified).
>
>The next question I'm gonna ask you is related to cache servers. Suppose
>we have a domain
> a.com NXT d.com
> d.dom NXT a.com
>and someone asks for b.com which simply doesn.t exist. So when the client
>gets a negative reply, the record (a.com NXT d.com) has been cached. As of
>that moment anyone asking of b.com will get the answer from the cache (if
>the cache is used). But what would happen if a fellow asked if c.com
>exists? Is the cache server obliged to answer that there is no c.com on
>the basis of the cached NXT record which says there is a black whole
>between a and d? I assume that the record is not opt-in.
You should consult RFC 2308 (NCACHE). Negative answers are cached
according to the query and not the answer. That means that a cached
negative answer for b.com isn't consulted for c.com, even though the
proof looks like it covers the new query. The reason for this
involved wild card synthesized negative proofs.
You're example is missing a piece though. You won't see the above,
but you might see a.com NXT d.com, d.com NXT com, com NXT a.com, as
you need the zone apex in the NXT chain.
>
>Kind regards,
>Slawek
>
>--------------------------------------------------------------------------
>Slawomir Gruca <slawomir.gruca@nask.pl>, NASK
>--------------------------------------------------------------------------
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
Your office is *not* a reality-based sit-com TV show.