And the 'go read this' reference is https://tools.ietf.org/html/rfc8198
On Tue, 2021-04-06 at 20:29 +0200, libor.peltan wrote: > Hi Murray, > if foo.example does not exist and DNSSEC is in place, than the resolver > actually, even with the queries "in reverse order", obtains and NSEC(3), > proving non-existence for much more. > For example, the query is bar.foo.example, and the authoritative returns an > NSEC proving that there is nothing between fa.example and fz.example. Thus, > the resolver can later deduct nonexistence not only for foo.example, but also > for fun.example and bar.fun.example, etc... > Without DNSSEC, this deduction (called "aggresive NSEC caching") is not > possible. > Cheers, > Libor > Dne 06. 04. 21 v 20:11 Murray S. Kucherawy napsal(a): > > > > This would make an ascending tree walk even for something crazy like > > "a.b.c.d.....y.z.foo.example" extremely cheap as the cached NXDOMAIN for > > "foo.example" covers the entire subtree, for a caching nameserver > > implementing RFC 8020. > > > > Maybe this is discussed somewhere that I missed in the references. I'm > > happy to take a "go read this for the answer" if that's the case. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
