> On 8 Apr 2022, at 09:12, Paul Vixie <[email protected]> wrote: > Brian Dickson wrote on 2022-04-07 14:26: >> ... >> However, that does provide motivation for (a) signing zones, and (b) >> resolvers doing validation with synthesis. >> Together, those reduce (a) load on auth servers, and (b) cache pollution. >> Win/win. > if those pigs had wings, they could indeed fly. (the motivation is assymetric > to the benefit, so this is like all other things dnssec related, and most > things ipv6 related, and so on.) > > wildcard synthesis should always have been resolver-side. now we live like > this. a zero-length EDNS option with a name like REALWILD that asked the > authority server to include *.example.com as an answer's owner name (rather > than www.example.com by synthesis) is probably the way out of this hell.
Wildcard synthesis in the resolver only works if you have NSEC/NSEC3 records (or the equivalent) that shows the non-existence of the QNAME otherwise the resolver would replace explicit data with synthesised data. Real wildcard + covering NSEC/NSEC3 range would work. Getting rid of OPTOUT would also help as you can’t synthesise using an OPTOUT NSEC3 record. Zone operators can turn off OPTOUT today. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
