[dns-operations] negative dnssec replies

Tony Finch dot at dotat.at
Mon Nov 28 12:02:27 UTC 2016

Florian Weimer <fw at deneb.enyo.de> wrote:
> Doesn't the NSEC3 opt-out mechanism achieve pretty much something like
> this?

It can give you a smaller zone if you have lots of unsigned delegations,
but it doesn't reduce the size of the zone if all the actual records are
signed, and it doesn't reduce the size of negative replies since you have
to send an opt-out proof.

Unsigned NXDOMAINs are a marvellous DoS mechanism :-)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Wight, Portland, Plymouth: East 5 to 7. Moderate or rough. Mainly fair, but
showers at first. Moderate or good.

More information about the dns-operations mailing list