On 2023-03-29 15:45, Paul Vixie wrote:
Joe Abley wrote on 2023-03-29 01:56:
Hi Paul,
On Tue, Mar 28, 2023 at 14:51, Paul Vixie
... for perspective, no root name
server has deployed this alternative form of Denial of Existence, ...
Root servers don't do online signing; they serve a pre-signed zone.
They don't have a motivation to reduce the cost of signature
generation at response time because that cost is already zero.
oops. duh.
however, olafur's original CF blog post about CDoE also talked about
packet size (desiring explicitly to fit in 512b). justification was
about fragmentation avoidance, not CPU time needed to construct
responses that were smaller than 512b being less than for responses
that were larger than 512b. i think it's worth asking if this still
matters, or else, is the current perceived benefit of CDoE simply that
a NODATA response is easier to construct and contains no wildcard
disproof?
The original blog does bring up the CPU argument:
https://blog.cloudflare.com/black-lies/
from the Conclusion:
"We’re proud of our negative answers. They help us keep packet size
small, and CPU consumption low enough for us to provide DNSSEC for free
for any domain"
and yes packet size still matters
/ Christian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop