> From: Bob Harold <rharo...@umich.edu> > On Tue, Jul 7, 2015 at 5:20 AM, <fujiw...@jprs.co.jp> wrote: > >> Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01. >> >> >> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ >> >> >> ... > >> -- >> Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> >> >> I am concerned that the "AN" flag allows for easy zone walking, defeating > the purpose of minimal range NSEC records. So I don't think authoritative > servers would want to respect it.
It's the problem. However, authoritative DNS servers can detect random subdomain attacks. They can generate NSEC resource records with wider range under random subdomain attacks. > I am also concerned that random subdomain queries will set the CD bit, if > that avoids aggressive negative caching. So I would think that the CD bit > should not be allowed to stop aggressive negative caching. Thanks. I will add. Regards, -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop