On Mon, May 16, 2016 at 06:35:10PM -0400, Shumon Huque wrote:
> PowerDNS's root-nx-trust is I believe an implementation of what is described
> in nxdomain-cut:
>
> https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03
>
> rather than the nsec-aggressive-use or cheese-shop drafts - those are about
> inferring NXDOMAIN from NSEC/NSEC3 spans.
Got it, thanks - and this I-D is indeed useful to beat people over the head
with if they get it wrong.
I expect PowerDNS might extend the root-nx-trust to other domains, and we
might follow:
"Another exception is that a validating resolver MAY decide to
implement this behaviour only when the NXDOMAIN response has been
validated with DNSSEC."
We can report from practice in any case that trusting the root to get it
right cuts down on root traffic a lot.
Thanks!
Bert
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
