> -----Original Message----- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Peter van Dijk > > Hello John, > > 1 and 2 could be covered with a wildcard PTR, as I think Tony Finch pointed > out. >
Hi Peter, Thanks for your comments. Wildcards are a good start, or at least they appear so on the surface. Unfortunately, the vagueness of their definition and various implementations of wildcards would make this a poor choice. Not to mention, wildcards will severely fragment the namespace once real PTRs are introduced creating a rather fine mess. This would also add another level of complication and restrict the layering capabilities we are attempting to introduce and would inevitably prove far more problematic and resource intensive than you might expect, simply to compensate for all the fragmentation. > > > Forget for a moment about IPv6. This draft makes $GENERATE more > > memory efficient, scales bigger, stays intact through AXFR's and yes > > -it makes some nameservers (authoritative) work a bit more as a > > trade-off. > > One could make $GENERATE more efficient without actually implementing > the BULK RR, by taking your pattern matching logic and implementing it > inside the name server. Of course, this makes generating the NSEC/NSEC3 > chain much harder than it is with today’s $GENERATE implementations > that actually generate all the names. > This would still be a vendor-hack (bind) and not a standard. We are looking for a vendor agnostic solution and feel a standards body is ultimately right choice. Additionally, this does not address the ability to AXFR the 'intent' ($GENERATE). > > A very interesting puzzle would be implementing BULK support, based > on the pattern matching in the draft, -without- doing NSEC(3) > white/black lies - i.e. generating the widest possible NSEC instead > of the narrowest one. For NSEC3 I suspect this is not feasible. > Unfortunately, there are lots of ways DNS is abused to provide an undue prejudice against huge swaths of mild-mannered, legitimate IPs. While our solution (NPN) offers the same opportunity for abuse, it doesn't preemptively defeat other options, such as online signing where BULK generated records are *exactly* like any other record. Thanks, John > > Kind regards, > -- > Peter van Dijk > PowerDNS.COM BV - https://www.powerdns.com/ -- THESE ARE THE DROIDS TO WHOM I REFER: This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
