TL;DR: (IPv4) The benefit of NSEC is fewer queries to the auths which would return NXDOMAIN answers, which improves overall DNSBL lookup performance. It also avoids exploding the negative cache of the resolver.
Funny you should mention that. About ten years ago I was trying to figure out how IPv6 DNSBLs would work. I came up with a variety of ideas, such as one where I put the entries in a B-tree stored in the DNS. (It worked but its performance was no better than the obvious rDNS like approach.) It occurred to me that the IPv6 DNSBL address space was likely to be sparse, so I suggested on this list, how about signing the DNSBL zones and then the cache can synthesize NXDOMAIN responses from the NSEC records.
I was firmly informed that I was a moron, that was a stupid idea, and if you want the right answer, you should ask the authoritative servers. Now we have RFC 8198 so I guess we are all morons, or something.
Using NSEC to fill the gaps is still a reasonable idea but the stunt servers that serve most DNSBLs don't yet do DNSSEC, and if the stats I've seen are to be believed, most of the net still doesn't look at DNSSEC even if it's available.
FYI, you can't use most DNSBLs through large public resolvers like 8.8.8.8. The DNSBLs use a freemium model where the largest users pay (which I can assure you they do for high quality DNSBLs) while providing free results to everyone else, and if they allowed people to use the public resovers, that wouldn't work. Large means very large, the resolvers at most hosting providers have no problem.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
