[ratelimits] RRL vs other approaches

Vernon Schryver vjs at rhyolite.com
Sat Feb 23 15:00:11 UTC 2013

> From: Olaf Kolkman <olaf at NLnetLabs.nl>

> > Today I realize I am being stupid.  Trying to recursively resolve
> > requests for A RRs with ANY requests does not get the NSEC records

> This confuses me.

Perhaps that is confusing because I am wrong.  Of course ANY gets
everything including any existing NSEC(3) and RRSIG RRs.

> If there is any NSEC record that matches the ownername of your query =
> then the type bitmap provides proof of the existent and non-existent =
> records. i.e. you only need one appropriate NSEC for the QTYPE proofs.

Yes, a recursive resolver could fill its cache with everything it
needs to answer any and all requests with an ANY request.

The cost would fetching and saving all of the the 1-2 KBytes (or
possibly more) for the qname in order to answer what might turn out
to be a single request.  It could be a saving only in cases like
"request A; response NODATA; request AAAA; answer AAAA"

As long as big DNS responses continue to be problematic, the idea is
probably bad.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list