nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VeriSign SMTP reject server updated

From: "Eric A. Hall" <ehall () ehsco com>
Date: Sun, 21 Sep 2003 11:28:09 -0500


on 9/21/2003 11:19 AM E.B. Dreger wrote:


Return NOERROR for one type of RR, but NXDOMAIN for another?  Is
that valid?!  Hit me with a clue-by-four if appropriate, but I
thought NOERROR/NXDOMAIN was returned per-host, regardless of
RRTYPE requested.  Giving NXDOMAIN for MX yet returning NOERROR
for A RRs doesn't sound kosher.


It's not valid and it won't work very well if it works at all. Your local
cache will use whatever it learned on the last query.

This is the seed for another problem set with the various workarounds as
well, although I'm still thinking these through. Different servers that
provide different kinds of glue could theoretically trip your cache.

At this point, I think we're on the verge of having multiple (different)
namespaces, which is extremely dangerous. At the same time, the arguments
against multiple roots are pretty much going out the window.

To be clear, however, I don't think the workarounds are the problem. I
think VeriSign has broken DNS by conflating error codes.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/
Previous By Date Next
Previous By Thread Next

Current thread: