On Thu, Feb 25, 2016 at 10:34 AM Paul Hoffman <[email protected]> wrote:
> On 25 Feb 2016, at 10:18, Ted Lemon wrote: > > > I'm sorry to be a sticky wicket here, but I have to ask: have you > > thought about what a guaranteed-correct implementation of this would > > look like? I think you need to actually do that analysis before we > > proceed with this. > > Can you say more? It seems like the spec in the draft is a > guaranteed-correct implementation: if you have a current validated > statement that nothing exists between N1 and N2, and you later get a > query for something between N1 and N2, send back NXDOMAIN directly. > As discovered by Geoff Huston, Google Public DNS (8.8.8.8) already does this[0]. > > > As best I understand it, getting this right is not trivial,and > getting it wrong would be harmful. I think that the "getting it right" for a DNSSEC validator is fairly trivial[1], but I fully agree that cocking it up would be harmful. W [0]: IIRC, this was while collecting data for his "On Queries to the Root" presentation. Sorry for not saying this earlier, I wanted to clear it with folk / not step on toes. [1]: much more so than many of the other thingies that DNSSEC validators do! > While it clearly would help in > > the context of widespread adoption of DNSSEC, I'm not convinced that > > the security risk of the added complexity would be compensated for by > > an actual reduction in woe at the root. > > Please say more about the "security risk". I'm missing it. > > --Paul Hoffman >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
