On Wed, Nov 11, 2015 at 01:15:37AM +0000, Wessels, Duane <dwess...@verisign.com> wrote a message of 107 lines which said:
> This updates RFC 2308 (Negative Caching of DNS Queries). Good point, I'll add that. Also, I did not dare to add "Updates: RFC 1034". Should I? > I think the WG needs to discuss and agree whether or not to make the > NXDOMAIN cut based on QNAME only, or on the SOA owner name. This is discussed (shortly) in section 5 of the draft. Apparently, it can be risky to rely on the SOA. More discussion welcome. > If the goal is to thwart random qname attacks, then it would be > better to use the SOA Sure, if you don't have access to the resolver (if you do, you can "poison" it with a request QNAME=apex-of-the-attack). > Implementing NXDOMAIN cut should also reduce the effectiveness of a > Kaminsky attack since the attack relies on the cache to forward > numerous non-existent names. Right. > I think its a little dangerous to say that an NXDOMAIN response > SHOULD cause a cache to delete already cached "positive" data. Could you elaborate why is it dangerous? (See also the second paragraph of section 7.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop