Proposal for using NAPTR/URI records
Brandon Allbery
ballbery at sinenomine.net
Thu Feb 26 15:13:40 EST 2015
On Thu, 2015-02-26 at 13:20 -0600, Nico Williams wrote:
> On Thu, Feb 26, 2015 at 07:19:27PM +0000, Brandon Allbery wrote:
> > On Thu, 2015-02-26 at 13:17 -0600, Nico Williams wrote:
> > > On Thu, Feb 26, 2015 at 05:15:15PM +0000, Brandon Allbery wrote:
> > > > On Thu, 2015-02-26 at 10:55 -0600, Nico Williams wrote:
> > > > > > 2. DNS stacks which drop queries for unknown QTYPEs.
> > > > >
> > > > > type=ANY.
> > > >
> > > > I've seen too many commodity routers that (a) insist on giving out the
> > > > address of their internal DNS caching server (b) silently drop any RR
> > > > they don't understand from cached/forwarded replies.
> > >
> > > How can (b) work in a DNSSEC world? I imagine the affected zones are
> > > opting out.
> >
> > You think commodity routers speak DNSSEC?
>
> No, but I'm asking what results. It must be equivalent to a timeout.
The router ignores DNSSEC (and EDNS for that matter) entirely, so you
get a timeout or you get no signature back ands it's on the client to
ignore them.
In any case, this will as a practical matter be deployed in places that
do not use DNSSEC.
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix openafs kerberos infrastructure xmonad http://sinenomine.net
More information about the krbdev
mailing list