This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] What about the last mile, was: getting DNSSEC deployed

Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Koch pk at DENIC.DE
Fri Feb 16 11:07:29 CET 2007

On Fri, Feb 16, 2007 at 09:20:09AM +0000, Lutz Donnerhacke wrote:

> DNSSEC validating on a larger resolver does scale well, because - that's the
> important observation I made - a lot of queries can be answered from cached
> NSEC records without querying further. The whole bunch of NXDOMAIN dropped by
> about 70% here. Crypto is cheap compared to networking.

Are you suggesting that

a) since most of the queries are repeated ones leading to NXDOMAIN you
   can take advantage of the response being cached and not in need of
   re-validation, or

b) you have and use an implementation, that -- in violation of the DNSSEC
   specification -- applies "aggressive negative caching"?

In case of (a) I'd not understand the drop rate, for (b) I'd like to read
a name.

-Peter

Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]