Brian Dickson wrote on 2022-04-07 14:26:
...
However, that does provide motivation for (a) signing zones, and (b)
resolvers doing validation with synthesis.
Together, those reduce (a) load on auth servers, and (b) cache
pollution. Win/win.
if those pigs had wings, they could indeed fly. (the motivation is
assymetric to the benefit, so this is like all other things dnssec
related, and most things ipv6 related, and so on.)
wildcard synthesis should always have been resolver-side. now we live
like this. a zero-length EDNS option with a name like REALWILD that
asked the authority server to include *.example.com as an answer's owner
name (rather than www.example.com by synthesis) is probably the way out
of this hell.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
