It appears that Mark Andrews <ma...@isc.org> said: >It’s not the complexity of the validator we are worried about. The number of >crypto verifications per second is really low on all >hardware. Being able to stop validating on the first failure rather than >having to continue because the attacker has constructed a >colliding key tag rrset is beneficial to getting good put trough in the >presence of a DoS attack.
Why do you have to try to validate everything rather than do some sensible number and stop? When I look at RFC 4035 sec 5.3.3 I don't see any MUSTs. I could set up a 100 link CNAME chain that would resolve if you followed the whole thing, but every cache will stop long before that. Why is this different? R's, John PS: I wouldn't be opposed to something like RFC 9276 that offered some advice for things to limit in practical DNS resolution, but that's not a protocol change, more like a BCP. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
