>You could apply the technique to any signed zone where you are not >worried about not having instant visibility after adding a new name >to the zone.
I don't understand this. If I ask for foo.example and get NXDOMAIN, and 10 ms later you add a record at foo.example, my negative answer is cached for your SOA TTL is. Using NSEC to synthesize responses doesn't fundamentally change the situation, it just increases the set of names that negative cache entries will cover and maybe changes the time if the NSEC and SOA TTLs are different. Unless all of your TTLs are zero, there's no such thing as a new name that's instantly visible to every client. If someone's going to argue that you carefully watch your query stream and only add new names for which there hasn't been a NXDOMAIN query within the appropriate interval from any of your DNS servers, I'll believe it when I see it. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
