[dns-operations] 10% was Re: .mm ....

Paul Wouters paul at cypherpunks.ca
Mon Jan 21 19:55:01 UTC 2013


On Mon, 21 Jan 2013, Warren Kumari wrote:

> 1: Everyone does strict implementations.
>
> 2: When the signature expires everyone does the following:
> A: You calculate by how much the zone has expired, normalize it, then multiply by 255 and call this EXPIRED-AMNT.
> B: You take the primary IP of your recursive server, hash it, take the last octet of the hash and call it REF-HASH.
> C: You hash the label of the zone apex, take the last octet and call it  ZA-HASH.
>
> Now, if REF-HASH - ZA-HASH < EXPIRED-AMNT you can still answer the query. This means that initially only 1/255 resolvers will view the zone as bogus, but as time goes by (up to double the validity interval) more and more resolvers will mark it bad. This allows for increasingly strong signals to the operator, but doesn't favor any one implementation….
>
> You're welcome…

One wonders if this algorithm favours recursive name servers ending with .8 :)

The idea is actually really nice. Whether everyone understands the prisoner's dilemma... I doubt it.

Paul



More information about the dns-operations mailing list