For those lacking context on "aggressive negative caching", see https://datatracker.ietf.org/doc/rfc8198/
--Ben Schwartz ________________________________ From: Roy Arends <r...@dnss.ec> Sent: Monday, July 22, 2024 3:45 PM To: dnsop <dnsop@ietf.org> Subject: [DNSOP] Response to draft-fbw-dnsop-dnszonehop I saw this on the agenda for this afternoon. The proposed solution against zone-walking is to exclude names from an nsec chain. Example, say "B" needs to kept private from zone-walking, so have: A.example. NSEC C.example. B.example. A 192.168.10.10 C.example. NSEC ... This is a terrible idea. This will break DNSSEC. Agressive negative caching will make sure that B won't exist, since the A NSEC C record proves it. Happy to discuss it in the WG this afternoon. Roy _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
