Promoting DNSSEC to nay-sayers
warren at kumari.net
Fri Sep 29 16:27:55 UTC 2017
On Fri, Sep 29, 2017 at 4:41 AM, Tony Finch <dot at dotat.at> wrote:
> sthaug at nethelp.no <sthaug at nethelp.no> wrote:
>> > There's a really neat DNSSEC-related improvement on the way: RFC 8198
>> > negative answer synthesis. This should greatly reduce the amount of junk
>> > queries to the root name servers (and other parts of the namespace too).
>> > Should be particularly good for mail servers that deal with amazing
>> > amounts of toxic waste.
>> Which begs the question: Should we expect Joe Average DNS Administrator
>> to care about the amount of junk queries to the root name servers?
> You win from lower latency responses and wasting less RAM on negative
> cache entries.
You also win (IMO, the biggest win) if you are authoritative and have
signed your zone -- if cuts down on the pain you feel from (many of
the current) DoS attacks.
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
> Cromarty, Forth, Tyne, Dogger: South or southwest 5 or 6. Moderate,
> occasionally rough in Cromarty. Rain at first, then showers. Moderate,
> becoming good.
> bind-workers mailing list
> bind-workers at lists.isc.org
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
More information about the bind-workers