[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q20: expanding wildcards in the authority section

To: Erik Rozendaal <erik@NLnetLabs.nl>
Subject: Re: Q20: expanding wildcards in the authority section
From: Mark.Andrews@isc.org
Date: Fri, 05 Dec 2003 00:41:00 +1100
Cc: "Olaf M. Kolkman" <olaf@ripe.net>, namedroppers@ops.ietf.org
In-reply-to: Your message of "Thu, 04 Dec 2003 13:49:17 BST." <3FCF2D4D.9050506@nlnetlabs.nl>

> Olaf M. Kolkman wrote:
> > 
> >   Q20: Expansion of wild cards in the authority section.
> > 
> >       Default action, based on sense of the room at IETF58, is to not
> >       expand the owner names of e.g. wildcard  NSEC RRs.
> >      
> >       If there is no further prohibitive objections by December 8 this 
> >       will be taken as consensus of the working group.
> 
> I find this rather inconsistent with the normal behavior of wildcards. 
> Currently wildcard owner names are always expanded to match the SNAME.
> 
> The current NSD DNSSEC implementation expands the wildcard NSEC record. 
> However, changing it to not expand the wildcard is not a big deal.  But I'd 
> still prefer consistent wildcard behavior when the wildcard matches the SNAME
> .
> 
> So (in order of preference) I'd like:
> 
> 1. The wildcard MUST always be expanded when it matches SNAME.
> 2. The wildcard MUST NOT be expanded for NSEC records in the authority 
> section even if it matches SNAME.
> 3. The wildcard MAY/SHOULD/SHOULD NOT be expanded.
> 
> Option 3 has additional complications for the client/resolver and would not 
> be a good idea in my opinion.
> 
> I prefer option 1 but do not mind option 2.
> 
> Erik

	Say you have

	QNAME c.example.
	QTYPE A
	
	And you get the following back:

	(expanded *)
	RCODE=NOERROR Answer count=0
	c.example. NSEC b.example. TXT NSEC RRSIG
	c.example. RRSIG ...
	b.example. NSEC d.example. A NSEC RRSIG
	b.example. RRSIG ...

	(unexpanded *)
	RCODE=NOERROR Answer count=0
	*.example. NSEC b.example. TXT NSEC RRSIG
	*.example. RRSIG ...
	b.example. NSEC d.example. A NSEC RRSIG
	b.example. RRSIG ...

	The tests the validator has to go through for NOERROR NODATA
	are:

	Does QNAME exist? ****
	Yes: Is it a empty node
	     Yes: SUCCESS
	     No: Does the type exist at the node?
		 Yes: FAIL
		 No: SUCCESS
	No: Does a wildcard exist?  ****
	    Yes: Does the type exist in the wildcard? ****
		 Yes: FAIL
	         No: SUCCESS
	     No: FAIL
	
	Which of the above two answers makes it easier to answer the
	**** questions?

	Mark

> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Q20: expanding wildcards in the authority section
  - From: Erik Rozendaal <erik@NLnetLabs.nl>

References:
- Re: Q20: expanding wildcards in the authority section
  - From: Erik Rozendaal <erik@NLnetLabs.nl>

Prev by Date: Re: Q20: expanding wildcards in the authority section
Next by Date: Re: List administration
Previous by thread: Re: Q20: expanding wildcards in the authority section
Next by thread: Re: Q20: expanding wildcards in the authority section
Index(es):
- Date
- Thread