Hi Petr, Thanks for your comments, :-)
Petr Špaček <petr.spa...@nic.cz>于2017年8月10日周四 下午7:04写道: > Hello, > > On 4.7.2017 05:54, Lanlan Pan wrote: > > Hi Tony, > > > > We try to solve similar wildcard problem. > > > > NSEC/NSEC3 aggressiveuse (Section 5.3 Wildcards > > < > https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse-10#page-6 > >) > > : > > - NSEC/NSEC3 RR: give "NOT EXIST SUBDOMAIN" information. > > - cached deduced wildcard: give the default wildcard RR. > > > > SWILD: > > - Directly give "ALL SUBDOMAIN" information, and the default wildcard RR. > > > > SWILD is applicable even when Authoritative Nameservers don't give > > NSEC/NSEC3 RR. > > SWILD is applicable on non-validating Forwarding Resolvers. > > If I understand it correctly: > - the only information added by SWILD RR is an explicit information > about the original (unexpanded) name of wildcard owner > - the very same information can be obtained from RRSIG RR in a > synthtetised answer (RRSIG labels < owner name labels) > - SWILD will work only if there are no nodes below the wildcard > Your analysis is totally right. Assuming this analysis is right, I'm against this proposal. > > We can get even better behavior from aggressive NSEC use. Here are > advantages of aggressive NSEC use: > - does not require changes to existing authoritatives or signed zones > - less fragile (if we consider manual SWILD specification as an option) > - supports wildcards with nodes below it > Yes, aggressive NSEC use has advantages if: 1) AUTH give NSEC RR. 2) Every Intermediate Resolver supports DNSSEC validating and the NSEC aggressive use. > Yes, the aggressive NSEC is limited to DNSSEC-signed zones. I think that > is okay: New features are provided only by the latest version of > the protocol. > But: 1) many wildcards occupy the Resolver cache, with no nodes below them. 2) many wildcards AUTH not give NSEC RR. 3) many resolvers not support DNSSEC validating, not to mention NSEC aggressive use. On the view of new feature, SWILD can be an alternative simpler choice to deploy. Petr Špaček @ CZ.NIC > > > > > > Regards, > > > > Tony Finch <d...@dotat.at <mailto:d...@dotat.at>>于2017年7月3日周一 下午 > > 8:18写道: > > > > Lanlan Pan <abby...@gmail.com <mailto:abby...@gmail.com>> wrote: > > > > > > This document specifies a new SWILD RR type for Intermediate > > Nameservers to > > > cache subdomain wildcard record, in order to reduce the cache size > and > > > optimize the wildcard domain cache miss. > > > > Isn't this functionality already provided by > > https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse ? > > > > Tony. > > -- > > f.anthony.n.finch <d...@dotat.at <mailto:d...@dotat.at>> > > http://dotat.at/ - I xn--zr8h punycode > > Fitzroy: Variable 4 for a time in north, otherwise northeasterly > > becoming > > cyclonic 5 to 7. Slight or moderate. Occasional rain. Moderate, > > occasionally > > poor. > > > > -- > > 致礼 Best Regards > > > > 潘蓝兰 Pan Lanlan > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
