On Wed, Jan 8, 2025, 10:53 AM Paul Vixie <paul=40redbarn....@dmarc.ietf.org> wrote: > > wildcarding should always have been signaled by the server and synthesized in > the stub. however, when dns was first developed, stubs were tiny and the idea > of an extra 500 lines of C to implement wildcard synthesis would have seemed > crazy. > > > what we should do now is evolve, for example an EDNS option or flag to > indicate that the initiator is capable of understanding wildcard signalling, > and if not, the responder should synthesize as before. this would be > meaningful on both stub->recursive, recursive->forwarder, > recursive->authority, and forwarder->authority. > > > if a server (recursive or forwarding) knows the wildcard signal patterns then > it is capable of synthesis for queries from initiators who do not know the > wildcard signal patterns. this would be huge for defending against random > subdomain attacks which currently fills the cache with synthetic data that > competes for LRU against real (non-attack) content.
Huh? Maybe I'm missing something but if the attacker is just filling the cache on a recursive resolver they cooperate with the origin to get the responses. Are you discussing setups where the authoritative has a caching layer that is getting hit and responses are expensive? Then there's no point in making a standard vs have the authoritative use a smarter cache/cheaper lookup. What would the benefit of this signalling be on the Internet? And how would it avoid being overinclusive when some names change? Sincerely Watson > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
