On 03/09/2021 09.32, Paul Wouters wrote:
I guess with aggressive nsec, you might even gain some CPU cycles back
for that extra memory used, and receive less queries too? Saving you
some money?
I think these savings won't be significant in delegation-centric zones
that are huge enough to consider opt-out. (But from TLDs I'd perhaps
only consider .com to be huge enough.) For resolvers the memory issue
is even more significant, because they share it for *all* zones, so you
can't expect them to keep a significant fraction of huge zones in
cache. Without being delegation-centric you could at least noticeably
utilize one NODATA answer to deny all missing types at the name (A +
AAAA is a typical queried pair, to be joined by HTTPS).
--Vladimir | knot-resolver.cz
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
