On Tuesday, April 1, 2014, Olafur Gudmundsson <o...@ogud.com> wrote: > > you are assuming one validation per question ? > what if the resolver needs to to 10? that is 1.8ms, >
I'm not :) as I wrote - if the resolver validates after it has recursed, only the final end of the line validation increases the overall latency. Responses can be assumed to be valid, recursed and then that recursion can be cancelled and backtracked if the response is found to be invalid. In all system design we need to take into account where the system can be > subverted, right now the > registration part of DNS system is the weakest link, thus most cost > effective way to gain hold of a domain is to > divert the registration. > There are several weak links, and it makes sense to work on them all. > [1] There's no need to wait for a response to be validated before > recursing, a validating resolver can first recurse and later backtrack if > the parent signature doesn't verify. > > > In the scope of things verification times are small compared to network > delays but can add up if done as batch operation. > Optimistic concurrency doesn't imply batching. Each response can be validated, while the next question is awaiting a response - one at a time. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
