On 7/19/24 10:34, Philip Homburg wrote:
To prevent this discrepancy between how dry-run and real validation
is done, the resolver either needs to halve its work bounds (which
is a disadvantage for real deployments), or commit to twice the
work it is willing to do.
This would be a problem is the work a validator can reasonably do is
close to the amount of work that is needed in real world scenarios.
I don't think that's the case. So giving twice the resources to a DS RRset
that includes dry-run should not be a problem.
Even if it would be a problem for some particularly busy resolvers, the
world is full of validators that are 99% idle. So the internet as a whole
has enough resources for dry-run.
I meant this to be in response to Ben's concern about potential malicious use,
in which case 99% idling and other normal-use scenarios don't seem to be
applicable.
Rather, the work bounds are there especially to limit malicious use. Why would
a resolver want to expend twice the resources, in comparison to what they had
decided would be the maximum they would want to spend, just because the
(malicious) DS record has a dry-run entry?
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
