At Fri, 06 May 2016 00:49:33 +0900 (JST), [email protected] wrote: > > - Abstract: I suggest revising this on this point (see above): > > > > responses as well as some level of mitigation of random sub-domain > > attacks (referred to as "Water Torture" attacks). > > > > by either simply removing it or clarifying that it's mitigation for > > authoritative servers. > > I would like to remain all benefits in the abstract.
I'm not sure if you agreed to my higher-level comment on the "benefit" as a DoS defense being too weak. According to the response to, e.g., the CD bit section, it seems you agreed, but in that case this doesn't make sense; at least that part of the "benefit" should be removed (not only from the abstract but from the draft in general). > I will rewrite the sentense as the following. > > With this proposal, it is expected that > performance improvement for recursive servers, > reducing garbage traffic to authoritative servers > and possible countermeasure of random subdomain attacks. So, at least I'm opposed to this text. To repeat myself, my higher-level general suggestion is to re-purpose this draft as a possible performance (and many network traffic) optimization, completely dropping the claim as a DoS defense, and revise overall text according to it. (You might disagree, but in that case my personal response to the adoption call will be "no"). > > - Section 4.5 > > > > Even if a wildcard is cached, it is necessary to send a query to an > > authoritative server to ensure that the name in question doesn't > > exist as long as the name is not in the negative cache. > > The sentence shows current specifications (Section 4.5 of RFC 4035 and > previous RFCs). Ah, so you actually referred to bullet #1 of RFC 4035 Section 4.5. I see that, but in that case I'd suggest you refer to the RFC explicitly here, and clarify that this is a "deduced" wildcard. > > When aggressive use is enabled, regardless of description of > > Section 4.5 of [RFC4035], it is possible to send a positive response > > immediately when the name in question matches a NSEC/NSEC3 RRs in the > > negative cache. > > > > I don't understand the second paragraph. I also don't understand > > how the first paragraph is related to the second. I'm not sure if > > it's only me, but I'd like to see more explanation here. > > The second sentence shows the aggressive use of ... changed the first > paragraph. I still don't get it here. Can you perhaps show a specific example of "send a positive response immediately when the name in question matches a NSEC/NSEC3 RRs in the negative cache."? Especially about how "a positive response" is derived from negative cache information? -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
