> One of the ways to mitigate this weakness > was to shift to using less than maximal spans in order to avoid > disclosing the delegated names. Presumably any choice of less > than maximal spans would have been equivalent, with minimal > spans being an entirely sensible choice. (Or maybe I'm missing > a specific reason for choosing minimal spans, but it's not > relevant for the purpose of this note.)
There is some limit on the size of the span if the goal is to avoid disclosing delegated names. For example, if the avarage size of a span is half of a maximal span, then enumeration is only twice as expensive. Some time ago people invented aggressive negative caching. So for NSEC, there is now a trade-off between disclosing delegated names and getting the benefit of aggressive negative caching. (I fully agree that terms that include 'lies' should not be used.) _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
