Last night the dumb-idea fairy visited me as I was falling asleep, and suggested that another way to reduce the impact of ANY queries would be to pick *one* rrset and return just that. (Probably the numerically smallest rrtype present at the node, plus RRSIGs if any.)
This avoids poisoning caches with false NODATA, it works for both DNSSEC and non-DNSSEC zones, meets djb's requirements, makes ANY responses small, and we don't need to argue about what rrtype to use for synthesized responses in non-DNSSEC answers. Still leaks some data (which admittedly undermines the motivation of Olafur's draft) but not as much and what gets leaked would be trivial to acquire by other means anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
