Re: [DNSOP] Using NSEC authoritatively - cutting down on NXD requests...

[Shane Kerr <shane@time-travellers.org>]

Warren,

On Thu, 15 Oct 2015 13:53:51 -0400
Warren Kumari <warren@kumari.net> wrote:
> I wanted to mention a document that Geoff and I wrote a few weeks back:
> 
> draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the
> DNS root" - https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
> 
> Basically this is a simplification of Kazunori Fujiwara's
> I-D.fujiwara-dnsop-nsec-aggressiveuse, restricted in scope to only be
> validated NSEC, and only for the root. Being simpler, we believe that
> cheese-shop allows for simpler implementation and gaining experience.
> We complement, not compete with nsec-aggressiveuse.
> 
> The root has some nice properties -- we understand a lot about the
> structure of the zone (e.g no wildcards, no cname's), and it is known
> to get a bunch of junk queries.
> Using NSEC for negative caching is known to work well in this case; we
> can expand the scope of the document sometime after discussions...

I like Fujiwara's idea, so I favor anything that helps move it along. I
tend to think that it would be nice to solve the general case, but I
understand your motivation here. 

I can see the issue with wildcards - a resolver has to do a separate
query to confirm that there are no wildcards for a zone, and then
presumably caching needs to take the minimum of the wildcard NSEC TTL
and any other NSEC TTL. There is a win in the root because as you point
out there is no wildcard.

I don't see the issue with CNAME though. What is that?

Cheers,

--
Shane