Re: [DNSOP] NXDOMAIN and RFC 8020
Peter van Dijk <peter.van.dijk@powerdns.com> Tue, 06 April 2021 18:36 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7093A2BC6 for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LqZlYIVThz5u for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:36:52 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 823063A2BBA for <dnsop@ietf.org>; Tue, 6 Apr 2021 11:36:52 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id A6FEA6A288; Tue, 6 Apr 2021 20:36:49 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id +jfeJ0GqbGDAewAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Tue, 06 Apr 2021 20:36:49 +0200
Message-ID: <2f5192fff52fbe2c5a6ed1cfdf3a3d8f1c5d560e.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Tue, 06 Apr 2021 20:36:49 +0200
In-Reply-To: <3c163088-2b5b-a64b-129f-de9932ebad40@nic.cz>
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com> <3c163088-2b5b-a64b-129f-de9932ebad40@nic.cz>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gUOpoAdvb_hLaw-odCMron-4JKk>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 18:36:57 -0000
And the 'go read this' reference is https://tools.ietf.org/html/rfc8198 On Tue, 2021-04-06 at 20:29 +0200, libor.peltan wrote: > Hi Murray, > if foo.example does not exist and DNSSEC is in place, than the resolver actually, even with the queries "in reverse order", obtains and NSEC(3), proving non-existence for much more. > For example, the query is bar.foo.example, and the authoritative returns an NSEC proving that there is nothing between fa.example and fz.example. Thus, the resolver can later deduct nonexistence not only for foo.example, but also for fun.example and bar.fun.example, etc... > Without DNSSEC, this deduction (called "aggresive NSEC caching") is not possible. > Cheers, > Libor > Dne 06. 04. 21 v 20:11 Murray S. Kucherawy napsal(a): > > > > This would make an ascending tree walk even for something crazy like "a.b.c.d.....y.z.foo.example" extremely cheap as the cached NXDOMAIN for "foo.example" covers the entire subtree, for a caching nameserver implementing RFC 8020. > > > > Maybe this is discussed somewhere that I missed in the references. I'm happy to take a "go read this for the answer" if that's the case. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 libor.peltan
- Re: [DNSOP] NXDOMAIN and RFC 8020 Peter van Dijk
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Brian Dickson
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 John Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Manu Bretelle
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Andrew Sullivan
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 sthaug