It appears that libor.peltan <libor.pel...@nic.cz> said: >Alternatively, we may say that the RFC8078 bootstrapping is deprecated, >but still, it doesn't mean that we replace it.
That seems reasonable. Does anyone actually do the current TOFU-ish bootstrap? >>> Do no longer suggest NSEC-walking Signaling Domains. (It does not >>> work well due to the Signaling Type prefix. What's more, it's unclear >>> who would do this: Parents know there delegations and can do a >>> targeted scan; others are not interested.) There's still a reference to NSEC walking in the penultimate paragraph in sec 3.3. I think it's still worth a suggestion in the trigger section that operators allow AXFR of the signal information. While probing is just as fast if there are only a few domains delegated to a NS, there are name servers that have hundreds of thousands or millions of delegated names. I counted name servers in the .com zone, and found 93 with more than a million each, a total of 120 million delegations. Even very slow AXFRs of 93 zones are a lot faster than 120 million DNS queries. Here's the first 20 of them: 4058923 nsg2.namebrightdns.com. 4058900 nsg1.namebrightdns.com. 3792278 dns1.registrar-servers.com. 3790659 dns2.registrar-servers.com. 3448893 ns1.gname-dns.com. 3448848 ns2.gname-dns.com. 2911454 jm1.dns.com. 2911442 jm2.dns.com. 2007121 ns1.bluehost.com. 2006794 ns2.bluehost.com. 1307459 ns1.dnsowl.com. 1307396 ns2.dnsowl.com. 1298775 ns3.dnsowl.com. 1174095 ns02.squarespacedns.com. 1174093 ns01.squarespacedns.com. 1135648 ns03.squarespacedns.com. 1135645 ns04.squarespacedns.com. 1119945 dm2.dns.com. 1119944 dm1.dns.com. 1118011 ns-cloud-c1.googledomains.com. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
