Hello Shumon,
On 17 May 2016, at 0:35, Shumon Huque wrote:
On Mon, May 16, 2016 at 5:45 PM, bert hubert
<bert.hub...@netherlabs.nl>
wrote:
It is in fact something you can do today. Some of the largest
PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:
"If set, an NXDOMAIN from the root-servers will serve as a blanket
NXDOMAIN
for the entire TLD the query belonged to. The effect of this is far
fewer
queries to the root-servers."
PowerDNS's root-nx-trust is I believe an implementation of what is
described
in nxdomain-cut:
https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03
rather than the nsec-aggressive-use or cheese-shop drafts - those are
about
inferring NXDOMAIN from NSEC/NSEC3 spans.
There is a subtle difference. We send the full query to the root, and
get an
NXDOMAIN for the full name, but with the setting enabled, we believe
that the
NXDOMAIN was generated from the top label. In other words, we rely on
the
‘shape’ of the root zone in that every positive entry in it is only
one label
long.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
