Hi all, I wanted to mention a document that Geoff and I wrote a few weeks back:
draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the DNS root" - https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/ Basically this is a simplification of Kazunori Fujiwara's I-D.fujiwara-dnsop-nsec-aggressiveuse, restricted in scope to only be validated NSEC, and only for the root. Being simpler, we believe that cheese-shop allows for simpler implementation and gaining experience. We complement, not compete with nsec-aggressiveuse. The root has some nice properties -- we understand a lot about the structure of the zone (e.g no wildcards, no cname's), and it is known to get a bunch of junk queries. Using NSEC for negative caching is known to work well in this case; we can expand the scope of the document sometime after discussions... W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
