In message <CAJE_bqeuPrvnyS5NXBqMUjxOES-SrQftXN=hwvb0fxcnueg...@mail.gmail.com> , =?UTF-8?B?56We5piO6YGU5ZOJ?= writes: > At Mon, 29 Feb 2016 16:54:49 +0000, > Edward Lewis <[email protected]> wrote: > > > >Please no. (Ed might disagree with me on this.) I think every document > > >that talks about the DNS in the IETF is about the IANA-administered DNS > > >except where loudly noted. > > > > I very much disagree coming from operating DNS on networks other than the > > global public Internet. > > I'm with Ed here. In my understanding RFCs of DNS related protocols > generally don't make such explicit notes but are still generally used > in DNS operations in closed intranet. And I think that's more > sensible default interpretation. So, if a document relies on specific > characteristics of the IANA-administered DNS like this draft, it's > better to note that explicitly (on the other hand, I don't think we > should consider draft-fujiwara-dnsop-nsec-aggressiveuse to be limited > to the IANA-administered DNS simply because it doesn't loudly note it > can be used more generally). > > -- > JINMEI, Tatuya
You could apply the technique to any signed zone where you are not worried about not having instant visibility after adding a new name to the zone. It is the later that is a property of the root zone which is missing in many others. People want to be able to create a delegation in .com and have it available for use within a couple of minutes. That said .COM is OPTOUT (NSEC3 is fine) so you can't do ANC there anyway but the principle still applies to other zones. I'm not worried about this one at all and no one else should be either if you think about it. This is a opportunistic optimisation. If you have the NSEC records then you can synthesis the negative response. If you don't, which will happen with a fresh cache, then you perform a lookup, validate the response, etc. The worst that will happen is that you waste time looking for NSEC records in the cache and don't find them. Mark > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
