Warren, On Thu, 15 Oct 2015 13:53:51 -0400 Warren Kumari <[email protected]> wrote: > I wanted to mention a document that Geoff and I wrote a few weeks back: > > draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the > DNS root" - https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/ > > Basically this is a simplification of Kazunori Fujiwara's > I-D.fujiwara-dnsop-nsec-aggressiveuse, restricted in scope to only be > validated NSEC, and only for the root. Being simpler, we believe that > cheese-shop allows for simpler implementation and gaining experience. > We complement, not compete with nsec-aggressiveuse. > > The root has some nice properties -- we understand a lot about the > structure of the zone (e.g no wildcards, no cname's), and it is known > to get a bunch of junk queries. > Using NSEC for negative caching is known to work well in this case; we > can expand the scope of the document sometime after discussions...
I like Fujiwara's idea, so I favor anything that helps move it along. I tend to think that it would be nice to solve the general case, but I understand your motivation here. I can see the issue with wildcards - a resolver has to do a separate query to confirm that there are no wildcards for a zone, and then presumably caching needs to take the minimum of the wildcard NSEC TTL and any other NSEC TTL. There is a win in the root because as you point out there is no wildcard. I don't see the issue with CNAME though. What is that? Cheers, -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
