On Wed, Mar 02, 2016 at 08:06:39AM +1100, Mark Andrews wrote: > ANC does not work for zones using OPTOUT. This is just about all > TLDs and similar zones.
To be pedantic, it doesn't work for optout ranges. I don't actually know offhand of any zones that mix optout and non-optout, though, so it's a fairly pointless quibble. > That then leaves leaf zones. Here sites will not want ANC for their > own zones internally. Externally there is only real benefit if you > are under a random prefix DoS attack. Random prefix DoS attacks are prevalent enough nowadays to make this seem like a rather significant exception. The downsides should be manageable. We can implement ANC so that it's separately enabled or disabled for different namespaces, and put a TTL cap on NSEC/NSEC3 records in zones that have ANC enabled. I agree with the suggestion upthread that we address the general case instead of the root-only solution. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
