On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote:
> Hi Brian,
> 
> I think what you're suggesting has already been proposed.  See 
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and 
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/

It is in fact something you can do today. Some of the largest PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:

"If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN
for the entire TLD the query belonged to. The effect of this is far fewer
queries to the root-servers."

This after f-root had enabled RRL slightly too aggressively on some nodes.

We just tested this setting against the "owned Ubiquity" attack and after a
thousand queries or so traffic to the roots dropped off to almost zero.

        Bert


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to