On Mon, May 16, 2016 at 5:45 PM, bert hubert <bert.hub...@netherlabs.nl> wrote:
> On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote: > > Hi Brian, > > > > I think what you're suggesting has already been proposed. See > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ > and https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/ > > It is in fact something you can do today. Some of the largest PowerDNS > Recursor sites in the world run with 'root-nx-trust' enabled: > > "If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN > for the entire TLD the query belonged to. The effect of this is far fewer > queries to the root-servers." > > This after f-root had enabled RRL slightly too aggressively on some nodes. > > We just tested this setting against the "owned Ubiquity" attack and after a > thousand queries or so traffic to the roots dropped off to almost zero. > > Bert > Bert, PowerDNS's root-nx-trust is I believe an implementation of what is described in nxdomain-cut: https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03 rather than the nsec-aggressive-use or cheese-shop drafts - those are about inferring NXDOMAIN from NSEC/NSEC3 spans. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
