> On 1 Dec 2021, at 23:57, Vladimír Čunát <vladimir.cunat+i...@nic.cz> wrote: > > On 01/12/2021 13.43, Mark Andrews wrote: >> Accepting 'QNAME NSEC \000.QNAME NSEC RRSIG’ (and other type maps) protects >> you from random QTYPE attacks. It also makes 'black lies' work as intended. > > Black lies got bad caching if Knot Resolver accepted this aggressively. > Asking two different QTYPEs repeatedly got uncacheable, as those answers need > different NSEC* record contents (for the same NSEC* owner). Of course, with > different caching design this might be different, but it just didn't seem > worthwhile to me. If someone cares for good caching, they shouldn't use > minimal ranges.
Black lies is “QNAME NSEC \000.QNAME NSEC RRSIG”. There is no churn for "black lies”. Black lies turns NXDOMAIN into NODATA. "DNS Shotgun" can produce churn of NSEC if you ask for a type that is listed as existing but it doesn’t actually exist. The NSEC returned is still valid for DNSSEC synthesis. > --Vladimir > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
