[dns-operations] 10% was Re: .mm ....

Warren Kumari warren at kumari.net
Mon Jan 21 20:03:53 UTC 2013

On Jan 21, 2013, at 2:55 PM, Paul Wouters <paul at cypherpunks.ca> wrote:

> On Mon, 21 Jan 2013, Warren Kumari wrote:
>> 1: Everyone does strict implementations.
>> 2: When the signature expires everyone does the following:
>> A: You calculate by how much the zone has expired, normalize it, then multiply by 255 and call this EXPIRED-AMNT.
>> B: You take the primary IP of your recursive server, hash it, take the last octet of the hash and call it REF-HASH.
>> C: You hash the label of the zone apex, take the last octet and call it  ZA-HASH.
>> Now, if REF-HASH - ZA-HASH < EXPIRED-AMNT you can still answer the query. This means that initially only 1/255 resolvers will view the zone as bogus, but as time goes by (up to double the validity interval) more and more resolvers will mark it bad. This allows for increasingly strong signals to the operator, but doesn't favor any one implementation….
>> You're welcome…
> One wonders if this algorithm favours recursive name servers ending with .8 :)

Hmmm…. Actually, for performance reasons (hashes are slow) I've just tweaked the algorithm… 
Instead, you take the first octet, add the second and then subtract the sum of the third and forth. 
You then use this as a percentage of how likely you are to drop queries.… 



> The idea is actually really nice. Whether everyone understands the prisoner's dilemma... I doubt it.
> Paul

I had no shoes and wept.  Then I met a man who had no feet.  So I said, "Hey man, got any shoes you're not using?" 

More information about the dns-operations mailing list