[avahi] Question on NSEC Support

[Petr Menšík]

Hi,

I doubt outgoing DNS queries have EDNS with DO bit set. Therefore they 
do not receive NSEC(3) records via unicast DNS. But you asked for 
multicast queries only I guess.

I can tell for nss-mdns plugin, because I have seen those parts 
recently. They will not skip AAAA queries in reaction to anything. I am 
confident NSEC record would not change anything. I think it makes sense 
to query addresses using ANY query, which is defined to return all 
records always on MDNS. That might deliver AAAA addresses just after 
query on IPv4.

I think at least nss-mdns resolution of both A+AAAA (mdns_minimal or 
mdns plugins) needs some change anyway. When the name is not found, it 
currently waits 2*5s sequentially for each address family. It changes 
one ANY query from libc to two separate queries. That is not what we 
want. We should make avahi-daemon query for both addresses from single 
request. Now it responds to IPv4 and IPv6 separately, but does not track 
their relation on side of daemon. That I think means NSEC is not handled 
at the moment and would require non-trivial effort.

Not sure we have also negative cache, where could NSEC record insert 
bits for other records than just queried. Then following query could be 
answered right away even without more complicated bundled query support.

Regards,
Petr

On 1/12/23 22:01, Chris Schroll wrote:
> Hi,
>
> Does avahi process NSEC records types?  RFC 6762 sections 6.1 and 6.2 
> refer to Negative Responses.
>
> ie.  If avahi receives an additional record of type NSEC asserting the 
> non-existence of AAAA addresses, will it stop querying for AAAA?
>
> Thanks!
> Chris

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB