It appears that Shumon Huque <shu...@gmail.com> said: >-=-=-=-=-=- > >Thank you Michael, > >Your observation is certainly true. However, I want to point out that >inability to >synthesize NXDOMAIN via aggressive negative caching applies to any online >signing scheme that uses minimally covering NSEC, not just Compact DoE.
It's also what happens with no DNSSEC at all, give or take larger responses. I think we can agree to note it but there's nothing to do about it. I have to say it's amusing that now it's a security issue *not* to implement RFC 8198. When I suggested NXDOMAIN synthesis twenty years ago as a way to speed up sparse IPv6 DNSBL queries, the dnsop crowd firmly told me that I was an idiot even to propose it, and the only valid approach was to get nice fresh answers from the authoritative servers each time. R's, John _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
