On Mon, Apr 13, 2020 at 4:36 PM Ólafur Guðmundsson <ola...@cloudflare.com> wrote:
> > I read the draft and like it, this is a clear statement of the problem and > good way forward. > Thanks Olafur! > I agree with the idea that "all" NS are lame is a good signal to > revalidate, > Yeah, me too. But as Paul later notes, I think we'd need a hold time timer of some sort to prevent the parents from getting DDOS'd by resolvers caught in a tight revalidation loop. We could recommend a timer value in the draft.. One idea to throw out here triggered by the first two paragraphs in section > 3 > Should we recommend that Authoritative servers that are configured for > minimal-response overwrite that on DNSKEY query and include NS RRset if > there is space ? > Worth considering. That would be a very useful optimization if everyone was doing it from the start. But it suffers from the incremental deployment problem. Since resolvers can't know who might be doing this in advance, if they want to minimize latency, they'd still need to fire off the NS query in parallel with the DNSKEY. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop