Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed

16 Feb 2007

      * Peter Koch wrote:
...
b) you have and use an implementation, that -- in violation of the DNSSEC
   specification -- applies "aggressive negative caching"?
Of course, it's a slightly modified bind. What's wrong with using the NSEC
data for negative caching?

Example:
  Q: avalon.iks-jena.de. AAAA
  [query the authoritive]
  A: avalon NSEC awstats.iks-jena.de. A MX TXT LOC SSHFP RRSIG NSEC

  Q: avalon.iks-jena.de. HINFO
  A: avalon NSEC awstats.iks-jena.de. A MX TXT LOC SSHFP RRSIG NSEC

  Q: avatar.iks-jena.de. A
  A: avalon NSEC awstats.iks-jena.de. A MX TXT LOC SSHFP RRSIG NSEC

I do _not_ extent the lifetime of the NSEC over the TTL based on the RRSIG
end date.

Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed

Lutz Donnerhacke