On Fri, Feb 16, 2007 at 09:20:09AM +0000, Lutz Donnerhacke wrote:
DNSSEC validating on a larger resolver does scale well, because - that's the important observation I made - a lot of queries can be answered from cached NSEC records without querying further. The whole bunch of NXDOMAIN dropped by about 70% here. Crypto is cheap compared to networking.
Are you suggesting that a) since most of the queries are repeated ones leading to NXDOMAIN you can take advantage of the response being cached and not in need of re-validation, or b) you have and use an implementation, that -- in violation of the DNSSEC specification -- applies "aggressive negative caching"? In case of (a) I'd not understand the drop rate, for (b) I'd like to read a name. -Peter