> From: 神明達哉 <jin...@wide.ad.jp> >> > - Abstract: I suggest revising this on this point (see above): >> > >> > responses as well as some level of mitigation of random sub-domain >> > attacks (referred to as "Water Torture" attacks). >> > >> > by either simply removing it or clarifying that it's mitigation for >> > authoritative servers. >> >> I would like to remain all benefits in the abstract.
I discussed with co-author. I will rewrite "performance improvement for recursive servers" as a purpose of the draft, and "possible countermeasure of some attacks" as side effect. >> > - Section 4.5 >> > >> > Even if a wildcard is cached, it is necessary to send a query to an >> > authoritative server to ensure that the name in question doesn't >> > exist as long as the name is not in the negative cache. >> >> The sentence shows current specifications (Section 4.5 of RFC 4035 and >> previous RFCs). > > Ah, so you actually referred to bullet #1 of RFC 4035 Section 4.5. I > see that, but in that case I'd suggest you refer to the RFC explicitly > here, and clarify that this is a "deduced" wildcard. OK, I will refer the section. >> > When aggressive use is enabled, regardless of description of >> > Section 4.5 of [RFC4035], it is possible to send a positive response >> > immediately when the name in question matches a NSEC/NSEC3 RRs in the >> > negative cache. >> > >> > I don't understand the second paragraph. I also don't understand >> > how the first paragraph is related to the second. I'm not sure if >> > it's only me, but I'd like to see more explanation here. >> >> The second sentence shows the aggressive use of ... changed the first >> paragraph. > > I still don't get it here. Can you perhaps show a specific example of > "send a positive response immediately when the name in question > matches a NSEC/NSEC3 RRs in the negative cache."? Especially about > how "a positive response" is derived from negative cache information? I will update the part to be expressed well. If nonexistence of a domain name is proved and there is a matching wildcard for the domain name, then the domain name matches the wildcard. the current draft may be lack of a description. Regards, -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
