>Reactions have been, um, mixed. Some folk say it;s a no-brainer, >others seriously dislike the idea.
As I understand it, this changes DNS caches so that for the root zone its behavior is somewhere between a cache and a secondary master. It slurps up a copy of the root zone by AXFR or rsync or something, checks that all the DNSSEC is valid, and then directly answers queries about that zone. All the info about the zone comes from the real master with TTL or other limits to avoid staleness, but once it has the info, it is in practice authoritative for the zone. (Although I realize that its answers to queries still say it's a cache, no AA bits on the answers.) Since it has the whole zone, it can immediately return NXDOMAIN for names in the zone that don't exist, which is not something that caches currently do. Is the plan that it will infer by looking at the NSEC or NSEC3 records that nonexistent names don't exist, or is it just part of the design, it validated the zone, so it knows it has the whole thing? The reason I ask is that I have suggested in the past that for DNSBLs or DNSWLs, which tend to have a lot of queries to names that don't exist, a DNSSEC-aware cache could synthesize the answers to reduce the load on the authoritative servers. The response from the dnsop crowd could politely be described as dismissive. Personally, I think it's fine to do it either way, if you don't want stale answers, you know how to set TTLs. Another question is why one would limit this to the root, since it is hardly the only zone that has a lot of traffic, much of which is bogus. If you could cache in-addr.arpa, that would automagically do a lot of what's in RFC 6303. Or the servers at various parts of the Foo company could profitably cache foo.com, particularly if it's less administrative and technical hassle than setting up a local shadow master. I also observe that it is very common to do basically this trick at busy mail sites for DNSBLs. The site copies the DNSBL zones using rsync or the like, serves it from a server on the LAN, and the caches are configured to find those zones from the local server rather than the normal place. These zones typically aren't DNSSEC signed for various reasons, but it occurs to me that the issues are different from the root, and allowing unsigned non-root zones could be OK. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
