Hello,

On 4.7.2017 05:54, Lanlan Pan wrote:
> Hi Tony,
> 
> We try to solve similar wildcard problem.
> 
> NSEC/NSEC3 aggressiveuse (Section 5.3 Wildcards
> <https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse-10#page-6>)
> :
> - NSEC/NSEC3 RR: give "NOT EXIST SUBDOMAIN" information.
> - cached deduced wildcard: give the default wildcard RR.
> 
> SWILD:
> - Directly give "ALL SUBDOMAIN" information, and the default wildcard RR.
> 
> SWILD is applicable even when Authoritative Nameservers don't give
> NSEC/NSEC3 RR.
> SWILD is applicable on non-validating Forwarding Resolvers.

If I understand it correctly:
- the only information added by SWILD RR is an explicit information
about the original (unexpanded) name of wildcard owner
- the very same information can be obtained from RRSIG RR in a
synthtetised answer (RRSIG labels < owner name labels)
- SWILD will work only if there are no nodes below the wildcard

Assuming this analysis is right, I'm against this proposal.

We can get even better behavior from aggressive NSEC use. Here are
advantages of aggressive NSEC use:
- does not require changes to existing authoritatives or signed zones
- less fragile (if we consider manual SWILD specification as an option)
- supports wildcards with nodes below it

Yes, the aggressive NSEC is limited to DNSSEC-signed zones. I think that
is okay: New features are provided only by the latest version of
the protocol.

Petr Špaček  @  CZ.NIC


> 
> Regards,
> 
> Tony Finch <d...@dotat.at <mailto:d...@dotat.at>>于2017年7月3日周一 下午
> 8:18写道:
> 
>     Lanlan Pan <abby...@gmail.com <mailto:abby...@gmail.com>> wrote:
>     >
>     > This document specifies a new SWILD RR type for Intermediate
>     Nameservers to
>     > cache subdomain wildcard record, in order to reduce the cache size and
>     > optimize the wildcard domain cache miss.
> 
>     Isn't this functionality already provided by
>     https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse ?
> 
>     Tony.
>     --
>     f.anthony.n.finch  <d...@dotat.at <mailto:d...@dotat.at>> 
>     http://dotat.at/  -  I xn--zr8h punycode
>     Fitzroy: Variable 4 for a time in north, otherwise northeasterly
>     becoming
>     cyclonic 5 to 7. Slight or moderate. Occasional rain. Moderate,
>     occasionally
>     poor.
> 
> -- 
> 致礼  Best Regards
> 
> 潘蓝兰  Pan Lanlan

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to