[ratelimits] RRL vs other approaches
Olaf Kolkman
olaf at NLnetLabs.nl
Sat Feb 23 07:34:45 UTC 2013
On Feb 20, 2013, at 10:21 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> Today I realize I am being stupid. Trying to recursively resolve
> requests for A RRs with ANY requests does not get the NSEC records
> required when there are no A records. I now wonder if DNSSEC is a
> reason to deprecate ANY. (deprecating ANY to mitigate reflection
> attacks is wishful thinking)
This confuses me.
If there is any NSEC record that matches the ownername of your query then the type bitmap provides proof of the existent and non-existent records. i.e. you only need one appropriate NSEC for the QTYPE proofs.
--Olaf
NLnet
Labs
Olaf M. Kolkman
www.NLnetLabs.nl
olaf at NLnetLabs.nl
Science Park 400, 1098 XH Amsterdam, The Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130223/6305c20a/attachment.htm>
More information about the ratelimits
mailing list