[dns-operations] Cloudflare TYPE65283

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 27 21:14:38 UTC 2023


On Tue, Mar 28, 2023 at 06:01:40AM +0900, Shumon Huque wrote:

> I've spoken to both NS1 and Route53, and both are amenable to adjusting
> their implementations to support the changes specified in
> draft-huque-dnsop-compact-lies. So, we hope that the end result will be
> that all known implementations of compact lies will support this common
> mechanism to distinguish NXDOMAIN vs ENT vs (other) NODATA.
> 
> If there are any other implementations of Compact Lies that folks are aware
> of, we should make them aware of this and bring them into the fold.

A possibly inconvenient question, just to make sure we're not ignoring
the obvious sceptical position:

* How compelling are compact lies?

The reason to ask is that both the original and now modified protocols
involve non-trivial complexity, and would have resolvers responding
differently to queries with the DO bit set (tell them the truth) vs.
queries that don't request validated answers (unmask the lie).

The savings vs. actual by-the-book NSEC responses appear to be a 2x
reduction in the number of signatures to compute (the SOA RRSIG is
presumably easily cached) and a 1.5x reduction in the number of
signatures to transmit (SOA + 1 NSEC, vs. SOA + 2 NSEC).

Do the CPU and packet size reductions justify the additional protocol
complexity?

-- 
    Viktor.




More information about the dns-operations mailing list