On 01/12/2021 09.35, Mark Andrews wrote:
Also stop hiding this breakage. Knot and unbound ignore the NSEC records which trigger this when synthesising.
Knot Resolver stopped treating minimally-covering NSEC* aggressively, but there are *two* different reasons.
1) breakages like this. We hard-enabled aggressivity for NSEC and NSEC3 in 2018; at that point we felt very much in minority, and it was hard to convince others that it's them who's doing it wrong (say, F5 customers).
2) low benefits of aggressive caching in this case. When the range covers basically a single name, the possible positive effect is very limited. There are negative non-breaking effects as well, e.g. caching of approaches like [black-lies]. You also need to weight the (negligible) benefits against (small-ish) costs of aggressive cache-searching.
[black-lies] https://blog.cloudflare.com/black-lies/ --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
