On 11/26/19 9:58 PM, Tony Finch wrote: > Mirror zones (validated zone transfers) fall on the wrong side of the > cost/benefit equation for me. But I might change my mind if there were > better security for unauthenticated records (NS and glue)
These are why we only implemented the mechanism over HTTPS for now (in addition to validating signatures). https://knot-resolver.readthedocs.io/en/stable/modules.html#cache-prefilling Still, I believe that a small resolver instance only needs a few DNS queries to root (per TTL), so switching everyone to always transferring the whole root should increase the total traffic considerably, and HTTPS and XoT are probably more expensive than DNS-over-UDP given the same traffic amount. That's where the aggressive-cache-only approach seems nice, but (additionally) having full root would also avoid leaking any of those garbage queries. (Except for those that hit an existing TLD, but those can't be helped at the root level, and TLDs are generally too big+dynamic for mirroring.) --Vladimir _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
