[dns-operations] negative dnssec replies
logrouterlog at gmail.com
Mon Nov 28 20:23:37 UTC 2016
Oh well It was just stray thought;)
Thanks for the link to Olaf Gudmundsson's interesting blog.
I was aware that PowerDNS allows one to synthersize signed nxdomain
I still think there must be a more elegant method out there that doesn't
involve keeping the private key on the shop floor.
On Mon, Nov 28, 2016 at 1:02 PM, Tony Finch <dot at dotat.at> wrote:
> Florian Weimer <fw at deneb.enyo.de> wrote:
> > Doesn't the NSEC3 opt-out mechanism achieve pretty much something like
> > this?
> It can give you a smaller zone if you have lots of unsigned delegations,
> but it doesn't reduce the size of the zone if all the actual records are
> signed, and it doesn't reduce the size of negative replies since you have
> to send an opt-out proof.
> Unsigned NXDOMAINs are a marvellous DoS mechanism :-)
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h
> Wight, Portland, Plymouth: East 5 to 7. Moderate or rough. Mainly fair, but
> showers at first. Moderate or good.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations