On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote: > Hi Brian, > > I think what you're suggesting has already been proposed. See > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and > https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
It is in fact something you can do today. Some of the largest PowerDNS Recursor sites in the world run with 'root-nx-trust' enabled: "If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN for the entire TLD the query belonged to. The effect of this is far fewer queries to the root-servers." This after f-root had enabled RRL slightly too aggressively on some nodes. We just tested this setting against the "owned Ubiquity" attack and after a thousand queries or so traffic to the roots dropped off to almost zero. Bert _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop