Re: Q-6: May security-aware resolvers cache "Bad" data?

[Rob Austein <sra+namedroppers@hactrn.net>]

At Fri, 28 Feb 2003 15:22:54 -0800 (PST), Brian Wellington wrote:
> 
> I'm not sure where negative caching fits into this.  The RRsets returned 
> as part of a valid negative response should all be verified; there's 
> nothing in the negative reponse which would be classified as anything 
> other than Authenticated.

You're thinking of conventional negative response caching, for which
you are of course correct.

The reference here was to kind of negative caching for which we don't
have a name yet, dealing with RRsets whose signatures are demonstrably
bad, so that the resolver can avoid performing the same (failing)
query and verification operations over and over again within a short
period of time.  RFC 2535 appears to forbid this form of negative
caching and doesn't discuss the (potentially serious) implications of
doing so, hence the question.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>