Doug Barton wrote:
>> Consider “www.host.group.department.example.com
>
> Your analysis is correct, but only for a cold cache. Once the
> resolver has cached the NS records for group.department.example.com
> the penalty no longer applies.
As the choice between privacy and latency is on resolver side,
moderate latency is not harmful.
Note that DNSSEC with cold cache should mean prohibitively
long initial latency, which means those who try to use DNSSEC
must give up security of privacy.
> FWIW, I also have some concerns about empty non-terminals,
Right, NXDOMAIN returned by some broken implementation to
empty non-terminals MUST NOT be interpreted that the
terminals does not exist.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
