[bind10-dev] should b10-auth return CNAME chain?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Mon Jan 24 23:37:00 UTC 2011
At Mon, 24 Jan 2011 08:54:41 +0000,
Stephen Morris <stephen at isc.org> wrote:
> > We are now thinking about taking a different approach: don't return
> > any chain after CNAME and always have the resolver follow it
> > explicitly. Do it at least the target zone isn't signed, and probably
> > keep the same behavior even for signed zones.
>
> My initial reaction is that using the principle of least astonishment, BIND-10 should do what BIND-9 does and return the entire chain as well.
I agree with the principle itself.
> The questions I have are (a) why the behaviour should change and (b)
> what benefit does it confer on users of the system.
I believe I already answered these questions, but to summarize:
1) not necessarily "should", but it seems the (rest of the) chain
isn't used in many deployed servers (and probably not used by any
servers in the "out-of-bailiwick" case)
2) probably none or very marginal for end users, but it helps keep the
code much simpler and more understandable.
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list