In message <[email protected]>, Mark Andrews writes: > In message <[email protected]>, "Wessels, Dua > ne > " writes: > > > I think the WG needs to discuss and agree whether or not to make the > > NXDOMAIN cut based on QNAME only, or on the SOA owner name. If the > > goal is to thwart random qname attacks, then it would be better to > > use the SOA (or hope for wide adoptionof qname minimization).
How can the NXDOMAIN be based on the SOA owner name? It identifies the administrative boundary not whether names exist or not. NSEC / NSEC3 can thwart random qname as those define the containing namespace. <random>.existing.name.example can't be thwarted by looking for parent NXDOMAINs as they don't exist. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
