On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote:
> Hi Brian,
>
> I think what you're suggesting has already been proposed. See
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
It is in fact something you can do today. Some of the largest PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:
"If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN
for the entire TLD the query belonged to. The effect of this is far fewer
queries to the root-servers."
This after f-root had enabled RRL slightly too aggressively on some nodes.
We just tested this setting against the "owned Ubiquity" attack and after a
thousand queries or so traffic to the roots dropped off to almost zero.
Bert
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
