Christian Elmerot wrote on 2023-03-29 08:24:
On 2023-03-29 15:45, Paul Vixie wrote:
however, olafur's original CF blog post about CDoE also talked about
packet size (desiring explicitly to fit in 512b). justification was
about fragmentation avoidance, not CPU time needed to construct
responses that were smaller than 512b being less than for responses
that were larger than 512b. i think it's worth asking if this still
matters, or else, is the current perceived benefit of CDoE simply that
a NODATA response is easier to construct and contains no wildcard
disproof?
The original blog does bring up the CPU argument:
https://blog.cloudflare.com/black-lies/
from the Conclusion:
"We’re proud of our negative answers. They help us keep packet size
small, and CPU consumption low enough for us to provide DNSSEC for free
for any domain"
after X years your load has scaled to use all headroom added by your
supply chain? usually these things relax. are you sure you still need to
ask the world to accept NODATA in place of NXDOMAIN?
be sure that while olafur's blog is proud of its negative answers, those
answers are non-negative, denying rrsets but not names, and the cost of
that shortcut is a burden on internet security workers everywhere. we
need to know when a name is asserted to not exist, and when.
and yes packet size still matters
can you help me understand why? for the networks i touch, PPS matters
quite a lot but BPS differences between 512b and 1500b do not.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
