[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Q-21: Can NSEC records in the cache be re-used?

To: Namedroppers Mailing List <namedroppers@ops.ietf.org>
Subject: Q-21: Can NSEC records in the cache be re-used?
From: Matt Larson <mlarson@verisign.com>
Date: Wed, 19 Nov 2003 09:44:32 -0500
User-agent: Mutt/1.5.4i

Q-21: Can NSEC records in the cache be re-used?

Section 3.2, second paragraph, of
draft-ietf-dnsext-dnssec-protocol-03.txt refers to the re-use of NSEC
records from the cache:

  A security-aware recursive name server MUST NOT use NSEC RRs from
  one negative response to synthesize a response for a different
  query.

Some reviewers have suggested that this language is overly
restrictive.  The editors propose this additional text immediately
following the above sentence to allow for a specific case of re-use:

  A security-aware recursive name server MAY use an NSEC RR from a
  previous response to generate a NODATA response to a current query,
  provided that the QNAME and QCLASS of the current query match the
  owner name and class, respectively, of the cached NSEC RR.

Does the working group have any objection to this added text?

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Q-21: Can NSEC records in the cache be re-used?
  - From: "Olaf M. Kolkman" <olaf@ripe.net>
- Re: Q-21: Can NSEC records in the cache be re-used?
  - From: David Blacka <davidb@verisignlabs.com>
- Re: Q-21: Can NSEC records in the cache be re-used?
  - From: Paul Vixie <paul@vix.com>

Prev by Date: Re: Issue: Add a new QTYPE
Next by Date: Re: Issue: Add a new QTYPE
Previous by thread: Issue: Add a new QTYPE
Next by thread: Re: Q-21: Can NSEC records in the cache be re-used?
Index(es):
- Date
- Thread