zuop...@cnnic.cn wrote on 2024-01-06 22:59:
...
Aggressive NSEC (RFC 8198) is useful against to NXNSAttack –like attack,
because it allows a DNSSEC-validating resolver to generate negative
answers within a range. ...
have you looked at dns rrl?
... But if a NSEC3 RR has an Opt-Out flag, it can’t
be used for aggressive negative caching. In addition, DNSSEC adoption
rate remains low in some area and this situation may not change
significantly over a long period of time for policy reasons.
i think as long as we keep adding features that are only necessary
because dnssec lacks certain features or is not universally deployed or
both, then dnssec will lack certain features or not be universally
deployed or both. please be careful what you wish for.
Compared to DNSSEC, the draft is relatively simple, it uses OPT RR
option to confirm NS record only when a resolver is requesting address
(Glue record) of delegation points. And it is compatible with current
DNS protocol.
it will always be within our powers to add complexity. google for "dns
camel" to find out one author's thoughts about how to use that power
more wisely.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
