On Tue, May 17, 2016 at 6:37 AM, Johan Ihrén <joh...@netnod.se> wrote:
> Hi, > > On 17 May 2016, at 11:14 , Peter van Dijk <peter.van.d...@powerdns.com> > wrote: > > > On 17 May 2016, at 0:35, Shumon Huque wrote: > > > >> On Mon, May 16, 2016 at 5:45 PM, bert hubert <bert.hub...@netherlabs.nl > > > >> wrote: > >> > >>> It is in fact something you can do today. Some of the largest PowerDNS > >>> Recursor sites in the world run with 'root-nx-trust' enabled: > >>> > >>> "If set, an NXDOMAIN from the root-servers will serve as a blanket > NXDOMAIN > >>> for the entire TLD the query belonged to. The effect of this is far > fewer > >>> queries to the root-servers." > >> > >> PowerDNS's root-nx-trust is I believe an implementation of what is > described > >> in nxdomain-cut: > >> > >> https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03 > >> > >> rather than the nsec-aggressive-use or cheese-shop drafts - those are > about > >> inferring NXDOMAIN from NSEC/NSEC3 spans. > > > > There is a subtle difference. We send the full query to the root, and > get an > > NXDOMAIN for the full name, but with the setting enabled, we believe > that the > > NXDOMAIN was generated from the top label. In other words, we rely on the > > ‘shape’ of the root zone in that every positive entry in it is only one > label > > long. > Ah, thanks for the clarification. > > It strikes me that this is a case where qname minimization would not only > help privacy, but also help with this problem as the resulting NXDOMAIN > will cover the entire non-existent TLD. > Yes, indeed. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
