[dns-operations] Input from dns-operations on NCAP proposal

Dave Lawrence tale at dd.org
Mon Jun 6 18:43:06 UTC 2022


Vladimír Čunát writes:
> If the root zone is unchanged, many names could be hidden before 
> reaching root servers - by DNSSEC aggressive caching and/or various 
> local-root variants.  (I'm not sure if we can well measure the extent to 
> which this happens.)

That's an interesting observation.  I'm inclined to think (with no
data to back it up) that the penetration of DNSSEC is sadly still
not deep enough that you'd still see plenty of leakage even in the
presence of aggressive NSEC.  I know there's data that shows
aggressive NSEC does have an positive impact on reducing garbage
queries, but also that plenty of garbage still does get through.

Ditto local roots.  This feels like something Geoff Huston probably
has some kind of data about, but a cursory search didn't turn it up.
I personally run a local root on my home system, but how prevalent are
they?  

That said, I'm not really just trying to wave off the problems those
two scenarios present. I accept that the only way to really capture
all of these queries into the global DNS is via a delegation, and just
still wonder whether RSS logging wouldn't be good enough to give
adequate observations of potential collision problems.

Especially because each of the suggested configurations presented
originally also have their own problems, as you have already observed.
Sounds like at least the two options to synthesize NXDOMAINs for all
labels at the delegated authority are worth some lab tests for major
resolvers to document just how they'd respond in the presence of the
suggested synthesis.

Full disclosure: I'm in the "preserve NXDOMAIN" camp, based in part on
having worked in the past with systems where the difference between
NXDOMAIN and NOERROR/NODATA was significant.  I do not knowingly work
with such systems now though, so can't make any sort of strong claim
as to what would currently be impacted.  Well I guess that's not
completely true, I *do* regularly encounter the problem with DNSSEC
Black Lies, and grumble and mutter every time I do.  That's more of a
human interface issue though, not a programmatic one.





More information about the dns-operations mailing list