On Thu, Apr 7, 2022 at 9:51 AM John R. Levine <jo...@iecc.com> wrote:
> A friend of mine asserts that wildcard DNS records are a problem because > hostile clients can use them to fill up DNS caches with junk answers to > random queries that match a wildcard. But it seems to me that you can do > it just as well with random queries that match nothing and fill up the > cache with NXDOMAIN junk answers. Am I missing something here? > > If you add DNSSEC, with or without RFC 8198 response synthesis, the > details change but I don't think answer does, it's about the same either > way. > Yep, I agree. However, that does provide motivation for (a) signing zones, and (b) resolvers doing validation with synthesis. Together, those reduce (a) load on auth servers, and (b) cache pollution. Win/win. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop