[ratelimits] RRL vs other approaches
Olaf Kolkman
olaf at NLnetLabs.nl
Sun Feb 24 03:16:47 UTC 2013
On Feb 23, 2013, at 11:00 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Olaf Kolkman <olaf at NLnetLabs.nl>
>
>>> Today I realize I am being stupid. Trying to recursively resolve
>>> requests for A RRs with ANY requests does not get the NSEC records
>
>> This confuses me.
>
> Perhaps that is confusing because I am wrong. Of course ANY gets
> everything including any existing NSEC(3) and RRSIG RRs.
>
>
>> If there is any NSEC record that matches the ownername of your query =
>> then the type bitmap provides proof of the existent and non-existent =
>> records. i.e. you only need one appropriate NSEC for the QTYPE proofs.
>
> Yes, a recursive resolver could fill its cache with everything it
> needs to answer any and all requests with an ANY request.
>
> The cost would fetching and saving all of the the 1-2 KBytes (or
> possibly more) for the qname in order to answer what might turn out
> to be a single request. It could be a saving only in cases like
> "request A; response NODATA; request AAAA; answer AAAA"
>
> As long as big DNS responses continue to be problematic, the idea is
> probably bad.
Even if the big responses wouldn't be able to flow anywhere but to the bonafide requestor that idea would probably be a waste of resources.
--Olaf
NLnet
Labs
Olaf M. Kolkman
www.NLnetLabs.nl
olaf at NLnetLabs.nl
Science Park 400, 1098 XH Amsterdam, The Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130224/f7943922/attachment.htm>
More information about the ratelimits
mailing list