wildcarding should always have been signaled by the server and synthesized in the stub. however, when dns was first developed, stubs were tiny and the idea of an extra 500 lines of C to implement wildcard synthesis would have seemed crazy.
what we should do now is evolve, for example an EDNS option or flag to indicate that the initiator is capable of understanding wildcard signalling, and if not, the responder should synthesize as before. this would be meaningful on both stub->recursive, recursive- >forwarder, recursive->authority, and forwarder->authority. if a server (recursive or forwarding) knows the wildcard signal patterns then it is capable of synthesis for queries from initiators who do not know the wildcard signal patterns. this would be huge for defending against random subdomain attacks which currently fills the cache with synthetic data that competes for LRU against real (non-attack) content. ideally the wildcard signalling would include both terminal (*.example.com) and non- terminal (www.*.example.com) naming, and rrtype-specific (only wildcard for aaaa and a, for example.) 500 lines of C code plus or minus won't have much impact on modern stubs, and would never have had much impact on any server ever. vixie
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
