On Wed, Mar 2, 2016 at 6:49 AM, Evan Hunt <[email protected]> wrote: > On Wed, Mar 02, 2016 at 08:06:39AM +1100, Mark Andrews wrote: > > ANC does not work for zones using OPTOUT. This is just about all > > TLDs and similar zones. > > To be pedantic, it doesn't work for optout ranges. I don't actually know > offhand of any zones that mix optout and non-optout, though, so it's a > fairly pointless quibble. > >
> > That then leaves leaf zones. Here sites will not want ANC for their > > own zones internally. Externally there is only real benefit if you > > are under a random prefix DoS attack. > > Random prefix DoS attacks are prevalent enough nowadays to make > this seem like a rather significant exception. > +1 > > The downsides should be manageable. We can implement ANC so that it's > separately enabled or disabled for different namespaces, and put a TTL > cap on NSEC/NSEC3 records in zones that have ANC enabled. > I personally think we should start up a conversation on good practices for TTL's based on the fact we have reliable, fast, dynamic Internet. > > I agree with the suggestion upthread that we address the general case > instead of the root-only solution. > > We agree Olafur
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
