> On Mar 2, 2021, at 6:46 PM, Peter van Dijk <peter.van.d...@powerdns.com>
> wrote:
>
> Compared to REFUSED, the synthetic RRSIG has the benefit of not causing
> a retry towards another auth (as Florian said); why not go another step
> then and make it cacheable? You say 'no point in caching', I agree, but
> then how about going another step and saying 'no point in a resolver
> repeating this question on behalf of a client every second' - so put a
> juicy TTL on it.
That way caches end up storing useless garbage, so the question is what
to optimise for, avoiding filling caches with garbage when each query
asks for a different name, or avoiding repeated queries for the RRSIG
of a fixed name. It is not clear which is the better choice, open to
discussion I guess, I don't have religion on this point, the 0 TTL is
my gut instinct.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
