[dns-wg] Re: What about the last mile, was: getting DNSSEC deployed
Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Feb 16 12:05:29 CET 2007
On Fri, Feb 16, 2007 at 10:29:41AM +0000, Lutz Donnerhacke <lutz at iks-jena.de> wrote a message of 20 lines which said: > Of course, it's a slightly modified bind. What's wrong with using > the NSEC data for negative caching? RFC 4035, "4.5. Response Caching" In theory, a resolver could use wildcards or NSEC RRs to generate positive and negative responses (respectively) until the TTL or signatures on the records in question expire. However, it seems prudent for resolvers to avoid blocking new authoritative data or synthesizing new data on their own. Resolvers that follow this recommendation will have a more consistent view of the namespace.
[ dns-wg Archives ]