Re: NAT64 and DNSSec

[JINMEI Tatuya / 神明達哉 <Jinmei_Tatuya@isc.org>]

At Wed, 26 Mar 2008 19:23:28 +0100,
marcelo bagnulo <marcelo@it.uc3m.es> wrote:

> - Level 1: We could add a tag on the DNS reply, EDNS0, marking these as 
> synthetic RR, so the receiving host knows these are fake but that it 
> should accept them anyway. this doesn't really solve the problem 
> described above, but at least DNS semantics are preserved, since 
> synthtic RR are explicitly marked and receivers know about that. 
> (Questio for DNS guys, do normal hosts accept DNS replies contianing 
> EDNS0 tags that they don't know? or they drop these replies?)

I don't have a general answer, but libbind (which is incorporated to
the resolver library of many UNIX-like OSes) "accept"s such responses;
actually, it doesn't even care about the contents of the additional
section at all.

FYI, a proposed revised draft of EDNS0
(draft-ietf-dnsext-rfc2671bis-edns0-01.txt) clarifies this point:

========================================================================
4.4.2. Any OPTION-CODE values not understood by a responder or requestor
MUST be ignored.  So, specifications of such options might wish to
include some kind of signalled acknowledgement.  For example, an option
specification might say that if a responder sees option XYZ, it SHOULD
include option XYZ in its response.
========================================================================

And by the way, you should mean EDNS0 "options" (in the OPT RR rdata)
by EDNS0 "tags".

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.