Hi Paul,
On Tue, Mar 28, 2023 at 14:51, Paul Vixie <paul=40redbarn....@dmarc.ietf.org>
wrote:
> Viktor Dukhovni wrote on 2023-03-27 18:00:
>>
>> * How compelling is compact DoE?
>
> that may depend on the beholder's eye. for perspective, no root name
> server has deployed this alternative form of Denial of Existence, and i
> believe this includes the f-root anycast instances operated by
> cloudflare under ISC's management. root name servers receive an awful
> lot of junk, and aren't in general overfunded, so if compactness of DoE
> was compelling for anybody, it seems like it would be for them.
Root servers don't do online signing; they serve a pre-signed zone. They don't
have a motivation to reduce the cost of signature generation at response time
because that cost is already zero.
Online signing by root servers would be a significant policy departure from how
things are currently organised, since it would imply that individual root
server operators bear some kind of responsibility for the contents of the root
zone. Offline signing seems to work quite well with a zone that is not updated
with high frequency.
A more compact signed, negative response would reduce the capacity required to
send negative responses, of which as you pointed out root servers send a lot.
However, I seem to think that root server instances are already quite
well-provisioned with spare capacity over and above their steady-state
requirements in order to be prepared for flash crowds and attack traffic. It's
always good to be frugal, I guess, but it's not obvious to me that this is a
problem in search of a solution in this case.
I'm not sure that root servers (or the root zone) are obvious candidates for
compact negative responses.
Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
