[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 2 21:01:10 UTC 2021

> On Mar 2, 2021, at 6:46 PM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> Compared to REFUSED, the synthetic RRSIG has the benefit of not causing
> a retry towards another auth (as Florian said); why not go another step
> then and make it cacheable? You say 'no point in caching', I agree, but
> then how about going another step and saying 'no point in a resolver
> repeating this question on behalf of a client every second' - so put a
> juicy TTL on it.

That way caches end up storing useless garbage, so the question is what
to optimise for, avoiding filling caches with garbage when each query
asks for a different name, or avoiding repeated queries for the RRSIG
of a fixed name.  It is not clear which is the better choice, open to
discussion I guess, I don't have religion on this point, the 0 TTL is
my gut instinct.


More information about the dns-operations mailing list