[ratelimits] RRL vs other approaches

Olaf Kolkman olaf at NLnetLabs.nl
Sun Feb 24 03:16:47 UTC 2013

On Feb 23, 2013, at 11:00 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Olaf Kolkman <olaf at NLnetLabs.nl>
>>> Today I realize I am being stupid.  Trying to recursively resolve
>>> requests for A RRs with ANY requests does not get the NSEC records
>> This confuses me.
> Perhaps that is confusing because I am wrong.  Of course ANY gets
> everything including any existing NSEC(3) and RRSIG RRs.
>> If there is any NSEC record that matches the ownername of your query =
>> then the type bitmap provides proof of the existent and non-existent =
>> records. i.e. you only need one appropriate NSEC for the QTYPE proofs.
> Yes, a recursive resolver could fill its cache with everything it
> needs to answer any and all requests with an ANY request.
> The cost would fetching and saving all of the the 1-2 KBytes (or
> possibly more) for the qname in order to answer what might turn out
> to be a single request.  It could be a saving only in cases like
> "request A; response NODATA; request AAAA; answer AAAA"
> As long as big DNS responses continue to be problematic, the idea is
> probably bad.

Even if the big responses wouldn't be able to flow anywhere but to the bonafide requestor that idea would probably be a waste of resources. 


Olaf M. Kolkman

olaf at NLnetLabs.nl

Science Park 400, 1098 XH Amsterdam, The Netherlands

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130224/f7943922/attachment.htm>

More information about the ratelimits mailing list