Thanks for pointing out the attack of using random NS RRSets ("NS
$RANDOM.victim.example") with zero TTL. However, I believe this is still
mitigated well by RFC 9520 Section 3.2: "When an incoming query matches a
cached resolution failure, the resolver MUST NOT send any corresponding
outgoing
All
This starts a Working Group Last Call for draft-ietf-dnsop-rfc8109bis
"Initializing a DNS Resolver with Priming Queries"
Current versions of the draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/
The Current Intended Status of this document is: Best Curre
