Hi, On 17 May 2016, at 11:14 , Peter van Dijk <peter.van.d...@powerdns.com> wrote:
> On 17 May 2016, at 0:35, Shumon Huque wrote: > >> On Mon, May 16, 2016 at 5:45 PM, bert hubert <bert.hub...@netherlabs.nl> >> wrote: >> >>> It is in fact something you can do today. Some of the largest PowerDNS >>> Recursor sites in the world run with 'root-nx-trust' enabled: >>> >>> "If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN >>> for the entire TLD the query belonged to. The effect of this is far fewer >>> queries to the root-servers." >> >> PowerDNS's root-nx-trust is I believe an implementation of what is described >> in nxdomain-cut: >> >> https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03 >> >> rather than the nsec-aggressive-use or cheese-shop drafts - those are about >> inferring NXDOMAIN from NSEC/NSEC3 spans. > > There is a subtle difference. We send the full query to the root, and get an > NXDOMAIN for the full name, but with the setting enabled, we believe that the > NXDOMAIN was generated from the top label. In other words, we rely on the > ‘shape’ of the root zone in that every positive entry in it is only one label > long. It strikes me that this is a case where qname minimization would not only help privacy, but also help with this problem as the resulting NXDOMAIN will cover the entire non-existent TLD. Johan Ihrén Netnod _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
