On 01/12/2021 13.43, Mark Andrews wrote:
Accepting 'QNAME NSEC \000.QNAME NSEC RRSIG’ (and other type maps) protects you from random QTYPE attacks. It also makes 'black lies' work as intended.
Black lies got bad caching if Knot Resolver accepted this aggressively. Asking two different QTYPEs repeatedly got uncacheable, as those answers need different NSEC* record contents (for the same NSEC* owner). Of course, with different caching design this might be different, but it just didn't seem worthwhile to me. If someone cares for good caching, they shouldn't use minimal ranges.
--Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
