On Tue, Mar 28, 2023 at 6:19 AM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > A possibly inconvenient question, just to make sure we're not ignoring > the obvious sceptical position: > > * How compelling are compact lies? > > The reason to ask is that both the original and now modified protocols > involve non-trivial complexity, and would have resolvers responding > differently to queries with the DO bit set (tell them the truth) vs. > queries that don't request validated answers (unmask the lie). > > The savings vs. actual by-the-book NSEC responses appear to be a 2x > reduction in the number of signatures to compute (the SOA RRSIG is > presumably easily cached) and a 1.5x reduction in the number of > signatures to transmit (SOA + 1 NSEC, vs. SOA + 2 NSEC). > > Do the CPU and packet size reductions justify the additional protocol > complexity? > That's a reasonable question, and perhaps best directed to the originators of the scheme at Cloudflare. I don't know if there have been any measurement studies or analyses of the cost benefits vs by-the-book DNSSEC. There are currently 3 large commercial DNS providers that have had it deployed for a while now, so I suspect that it is here to stay. Note that one other provider (UltraDNS) does support traditional NSEC White "Lies" that give by-the-book DNSSEC proofs for NXDOMAIN, so apparently they are bearing the additional costs just fine. One other point -- without the additional rcode substitution schemes under discussion, Compact Answers can cause additional work for authority servers, since NODATA responses may lead to follow-on queries by DNS client applications (e.g. the common AAAA followed by A pattern). So, the per-response crypt & size reductions need to also be weighed against the cost of these additional queries. Shumon.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
