With DNS, there are several things to consider, such as the number and number of times that can complicate name resolution or cause DoS.
For example, number of CNAME chains or number of chains of "unrelated" name server names are not limited. (Each implementations limit.) "KeyTrap" also seems to be caused by the configuration of a large number of DNSKEY RRs and RRSIG RRs in one domain name. For example, - Number of CNAME chains - Number of "unrelated" name server name resolutions (hard to write) - Number of NS RRs in each delegation - Number of RRs in one RRSet. - Number of RRSIG RRs in one RRSet - Number of DNSKEY RRs in one domain name DNSOP WG limitted NSEC3 Parameters in RFC 9276, beyond which DNSSEC validation was not required. Then, we can generate new recommendations that limit numbers and if it exceeds that limits, it might be a name resolution error or no validation. Rather than writing a draft for each limitation, I think it would be better to compile them all into one draft. -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
