In message <[email protected]>, Ray Bellis writes: > > > On 01/03/2016 15:26, =D3lafur Gu=F0mundsson wrote: > > > Thus I consider your document a distraction, we should push the general > > solution not a special case > > +1 > > Ray
ANC can be both good and bad depending upon where it is used in the DNS. For the root zone and DLV there is no downside to using ANC for those zones but the benefits of using ANC will decrease as the root zone increases in size (the ANC hit ratio will drop). ANC does not work for zones using OPTOUT. This is just about all TLDs and similar zones. For in-addr.arpa and ip6.arpa it may actually have strong negative consequences and you can't bring up a machine and have it be useful for certain classes of work until the NSEC* records have cleared the cache. Think bring up a replacement SMTP server. That then leaves leaf zones. Here sites will not want ANC for their own zones internally. Externally there is only real benefit if you are under a random prefix DoS attack. I actually don't see much benefit in deploying this generally. Mark > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
