>> It seems to me that deploying code under the assumption of only limited >> caching of negative results is a good way to block all kinds of future >> work, or alternatively, you may be in for a lot of pain if other people >> decide that negative caching is more important. > >ANC was deliberatedly decided against when DNSSEC was being developed >to avoid all of these issues. DNSSEC secured the DNS, it did not >change the semantics of the lookups. ANC changes the semantics of >the DNS.
So, if there is good enough motivation for ANC, then maybe NSEC could have been invented independently. >> For example, if you are about to add foo.example.com and you want to find >> the zone cut, then looking up $DOES_NOT_EXIST.example.com will give you >> the zone cut without revealing anything about 'foo'. > >No it doesn't. The zone cut may be foo.example.com. You can't >avoid making a query for foo.example.com. Looking for >$DOES_NOT_EXIST.example.com does not tell you which zone contains >foo.example.com. In the unlikely event you want to update information at an apex, instead inserting names that are not supposed to exists at all, and you are also not aware you are inserting at apex, you can also use $DOES_NOT_EXIST.foo.example.com _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
