On Wed, Jan 8, 2025 at 1:52 PM Paul Vixie <paul=40redbarn....@dmarc.ietf.org> wrote: [...]
Paul, responding to just this piece of your note .. if a server (recursive or forwarding) knows the wildcard signal patterns > then it is capable of synthesis for queries from initiators who do not know > the wildcard signal patterns. this would be huge for defending against > random subdomain attacks which currently fills the cache with synthetic > data that competes for LRU against real (non-attack) content. > This is already possible to some extent today with traditional DNSSEC responses from signed zones that prove wildcard synthesis - no additional signaling is needed for that beyond the DO bit. RFC 8198 already describes how to synthesize wildcard expanded responses from this. I think it's important that such signaling is secure though (via DNSSEC validated RRsets) rather than solely via EDNS options, which are not authenticated, otherwise they are vulnerable to abuse and DoS by DNS spoofing adversaries. (As I pointed out in another thread, some online signing implementations do not allow such wildcard synthesis since they claim that the full query name that matched the wildcard existed in the zone). Shumon.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
