Hi DNSOP, draft-ietf-dnsop-compact-denial-of-existence currently says the following about RFC 4470:
The response for a non-existent name requires up to 2 signed NSEC records or up to 3 signed NSEC3 records (and for online signers, the associated cryptographic computation), to prove that (1) the name did not explicitly exist in the zone, and (2) that it could not have been synthesized by a wildcard. However, it seems to me that the wildcard response is extremely cacheable, so in practice online signing with RFC 4470 only requires one signature (even during a cache-busting attack), i.e. the same computational cost as draft-ietf-dnsop-compact-denial-of-existence. This leaves response packet size as the primary advantage over RFC 4470. Is this a fair assessment? If this is correct, then I'm not sure the complexity of solving the ENT problem is worthwhile. Consider the camel [1], and think carefully before defining new mechanisms to solve minor problems. We have many other options, like changing the status to Informational and simply documenting existing practice, or declaring that zones using this strange mechanism must never return NXDOMAIN at all. --Ben Schwartz [1] https://blog.apnic.net/2018/03/29/the-dns-camel/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
