At Tue, 18 Jul 2017 18:20:56 +0530, Mukund Sivaraman <m...@isc.org> wrote:
> Dealing with water torture and some other attacks have had several > band-aid approaches that don't always work well in practice. The most > promising (and what feels correct) is > draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't work for unsigned > zones. Do you mean it's the most promising measure for authoritative servers? If so, and if nsec-aggressiveuse is more widely deployed in resolvers, and if the authoritative operators feel the pain so keenly, I'd rather imagine they are willing to pay the cost of deploying DNSSEC. If you mean it's the most promising measure for recursive servers, I simply don't buy the argument. (I made that comment while the wg discussed nsec-aggressiveuse and it toned down quite a lot in that sense as a result of it, so I believe it's based on a wg rough consensus). So, either way, I don't see a strong case for the trick of using nsec-aggressiveuse on an unsigned zone with DNS cookies. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop