On 03/09/2021 09.48, Vladimír Čunát wrote:
you can't expect them[resolvers] to keep a significant fraction of huge zones in cache
That being said, if a zone with (only) a couple million entries is *attacked*, it can be realistically protected by aggressive caching. A cache of a couple GB seems OK for big resolver instances, so even the whole NSEC* chain of the attacked zone might fit. Simple experiments: https://indico.dns-oarc.net/event/28/contributions/509/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
