On 11 August 2017 at 01:02, Lanlan Pan <abby...@gmail.com> wrote:

>> We can get even better behavior from aggressive NSEC use. Here are
>> advantages of aggressive NSEC use:
>> - does not require changes to existing authoritatives or signed zones
>> - less fragile (if we consider manual SWILD specification as an option)
>> - supports wildcards with nodes below it
> Yes, aggressive NSEC use has advantages if:
> 1) AUTH give NSEC RR.
> 2) Every Intermediate Resolver supports DNSSEC validating and the NSEC
> aggressive use.

It sounds like you're assuming that SWILD would be supported by caching
servers that do not support DNSSEC or NSEC aggressive use.  Why do you
expect implementers would adopt SWILD before adopting these much older

> Yes, the aggressive NSEC is limited to DNSSEC-signed zones. I think that
>> is okay: New features are provided only by the latest version of
>> the protocol.
> But:
> 1) many wildcards occupy the Resolver cache, with no nodes below them.
> 2) many wildcards AUTH not give NSEC RR.
> 3) many resolvers not support DNSSEC validating, not to mention NSEC
> aggressive use.
> On the view of new feature, SWILD can be an alternative simpler choice to
> deploy.
DNSOP mailing list

Reply via email to