[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and DNSSec



Hi Jinmei,

good input, thanks!

regards, marcelo

JINMEI Tatuya / ???? escribió:
At Wed, 26 Mar 2008 19:23:28 +0100,
marcelo bagnulo <marcelo@it.uc3m.es> wrote:

- Level 1: We could add a tag on the DNS reply, EDNS0, marking these as synthetic RR, so the receiving host knows these are fake but that it should accept them anyway. this doesn't really solve the problem described above, but at least DNS semantics are preserved, since synthtic RR are explicitly marked and receivers know about that. (Questio for DNS guys, do normal hosts accept DNS replies contianing EDNS0 tags that they don't know? or they drop these replies?)

I don't have a general answer, but libbind (which is incorporated to
the resolver library of many UNIX-like OSes) "accept"s such responses;
actually, it doesn't even care about the contents of the additional
section at all.

FYI, a proposed revised draft of EDNS0
(draft-ietf-dnsext-rfc2671bis-edns0-01.txt) clarifies this point:

========================================================================
4.4.2. Any OPTION-CODE values not understood by a responder or requestor
MUST be ignored.  So, specifications of such options might wish to
include some kind of signalled acknowledgement.  For example, an option
specification might say that if a responder sees option XYZ, it SHOULD
include option XYZ in its response.
========================================================================

And by the way, you should mean EDNS0 "options" (in the OPT RR rdata)
by EDNS0 "tags".

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.