[ratelimits] RRL vs other approaches
vjs at rhyolite.com
Sat Feb 23 15:00:11 UTC 2013
> From: Olaf Kolkman <olaf at NLnetLabs.nl>
> > Today I realize I am being stupid. Trying to recursively resolve
> > requests for A RRs with ANY requests does not get the NSEC records
> This confuses me.
Perhaps that is confusing because I am wrong. Of course ANY gets
everything including any existing NSEC(3) and RRSIG RRs.
> If there is any NSEC record that matches the ownername of your query =
> then the type bitmap provides proof of the existent and non-existent =
> records. i.e. you only need one appropriate NSEC for the QTYPE proofs.
Yes, a recursive resolver could fill its cache with everything it
needs to answer any and all requests with an ANY request.
The cost would fetching and saving all of the the 1-2 KBytes (or
possibly more) for the qname in order to answer what might turn out
to be a single request. It could be a saving only in cases like
"request A; response NODATA; request AAAA; answer AAAA"
As long as big DNS responses continue to be problematic, the idea is
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits