Joe Abley wrote on 2023-03-29 01:56:
Hi Paul,
On Tue, Mar 28, 2023 at 14:51, Paul Vixie
... for perspective, no root name
server has deployed this alternative form of Denial of Existence, ...
Root servers don't do online signing; they serve a pre-signed zone. They
don't have a motivation to reduce the cost of signature generation at
response time because that cost is already zero.
oops. duh.
however, olafur's original CF blog post about CDoE also talked about
packet size (desiring explicitly to fit in 512b). justification was
about fragmentation avoidance, not CPU time needed to construct
responses that were smaller than 512b being less than for responses that
were larger than 512b. i think it's worth asking if this still matters,
or else, is the current perceived benefit of CDoE simply that a NODATA
response is easier to construct and contains no wildcard disproof?
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
