<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">I'm going through Rubens' email and addressing different points in several emails. This first one is about zone contents.</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Aug 2, 2023, at 3:42 PM, Rubens Kuhl via NCAP-Discuss <<a href="mailto:ncap-discuss@icann.org" class="">ncap-discuss@icann.org</a>> wrote:</div><div class=""><div class=""><br class="">Option 1: Delegated zone only contains SOA, dotless NS, dotless DNSKEY, NSEC records and RRSIGs for all the records.<br class=""></div></div></blockquote><div><br class=""></div>Thanks for this great detail. Let me share some of my thoughts with regard to the nearly-empty TLD zone file. There are at least four considerations, one of which relates to DNSSEC-signing, which you've just shared.</div><div><br class=""></div><div>1. Aggressive NSEC caching. Where aggressive NSEC caching is in use, negative responses can be inferred by the resolver when the zone is DNSSEC-signed. In the case of a zone that is empty other than its apex, we would expect to get *no* follow-up queries from a resolver that is doing aggressive NSEC caching, i.e., because it will have learned the entire contents of the zone, it has no need to query again.</div><div><br class=""></div><div>2. NXDOMAIN: There Really Is Nothing Underneath. Suppose a resolver receives a query for foo.applied-for-tld-string. It issues that query to auth server, and receives NXDOMAIN. A short time later, the resolver receives query for bar.foo.applied-for-tld-string. What does the resolver do? Well, according to RFC 8020:<br class=""><br class=""> Many resolvers today will forward both queries.<br class=""> However, following the rules in this document ("NXDOMAIN cut"), a<br class=""> resolver would cache the first NXDOMAIN response, as a sign of<br class=""> nonexistence, and then immediately return an NXDOMAIN response for<br class=""> the second query, without transmitting it to an authoritative server.<br class=""><br class="">(source: <a href="https://www.rfc-editor.org/rfc/rfc8020" class="">https://www.rfc-editor.org/rfc/rfc8020</a>)<br class=""><br class="">3. Qname minimization. If a resolver receives a query for foo.bar.applied-for-tld-string, a qname-minimizing resolver will query the authoritative server for bar.applied-for-tld-string. When it receives an NXDOMAIN response, it *may* stop querying right there because it has learned that there is nothing beneath bar.applied-for-tld-string. In that case, the auth server never sees the full qname.</div><div><br class=""></div><div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">4. TTL. With previous analyses, the only TTL involved is that of the SOA record (and negative cache value of that record) of the root. That value is current 86400, which means that a resolver receiving an NXDOMAIN for foo.applied-for-tld-string can potentially wait for an entire day before querying again for foo.does-not-exist. However, we had no control over that value before.</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br class=""></div></div><div><br class=""></div><div>Three things can help with mitigating these behaviors and maximizing the telemetry at the auth servers.</div><div><br class=""></div><div>1. <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">I believe that the TLD should be *unsigned*. No DS (in parent), DNSKEY, RRSIG, or NSEC(3) records. This addresses </span><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class="">the negative aggressive caching issue (#1).</span></font></div><div><br class=""></div><div>2. When we delegate a nearly-empty TLD zone, we now have control over the TTL knob for that TLD. By using a shorter TTL, we can mitigate the effects of caching at the resolvers, including NXDOMAIN caching (#2), but also aggressive NSEC caching (#1). With some resolvers (that ask the full qname regardless), this might even help with <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">qname minimization (#3). </span>This means we get a better look at both query names and quantities that the resolver is seeing. Of course, this comes at the cost of potentially bearing more load, but I expect that we can handle that given the fact that these are (otherwise) nonexistent TLDs, so their demand is not as high as that of existing TLDs.</div><div><br class=""></div><div>3. Finally, to more fully address the issue of qname minimization (#3) -- for which a low TTL might not help -- here is a new idea to help see the full qname where it would otherwise be lost on qname-minimizing resolvers that follow the NXDOMAIN principles in RFC 8020. We add a wildcard HINFO record to the zone. This would make it so that queries for foo.applied-for-tld-string would result in NOERROR (empty answer) instead of NXDOMAIN, which means that the resolver has no choice but to query again for bar.foo.applied-for-tld-string, even if it strictly follows the RFC 8020 principles. Note that this is inspired by RFC 8482, where HINFO is used for minimal ANY responses, but it is applied here for a different purpose.</div><div><br class=""></div><div>Here is the resulting zone, with 1) no DNSSEC, 2) 60-second TTL and negative cache TTL, and 3) the use of an HINFO record:</div><div><br class=""></div><div>Example (60-second TTL):</div><div><br class=""></div><div>$TTL<span class="Apple-tab-span" style="white-space:pre"> </span>60<br class="">@<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>SOA<span class="Apple-tab-span" style="white-space:pre"> </span>localhost. root.localhost. (<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span> 1<span class="Apple-tab-span" style="white-space:pre"> </span>; Serial<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span> 3600<span class="Apple-tab-span" style="white-space:pre"> </span>; Refresh<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span> 3600<span class="Apple-tab-span" style="white-space:pre"> </span>; Retry<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>86400<span class="Apple-tab-span" style="white-space:pre"> </span>; Expire<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span> 60 )<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>; Negative Cache TTL<br class="">@<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NS<span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://ns1.trial-delegation.icann.org" class="">ns1.trial-delegation.icann.org</a>.<br class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">@</span><span class="Apple-tab-span" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); white-space: pre;"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">IN</span><span class="Apple-tab-span" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); white-space: pre;"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">NS</span><span class="Apple-tab-span" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); white-space: pre;"> </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><a href="http://ns2.trial-delegation.icann.org" class="">ns2.trial-delegation.icann.org</a>.</span></div><div><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class="">* HINFO "" ""<br class=""><br class=""></span></font></div><div>I know that the HINFO record idea is new, and there might be some concerns with that. It is still a negative response (NXDOMAIN vs. NOERROR). Like anything else proposed, this has to do with the risk/reward we are looking for.</div><div><br class=""></div><div>Casey</div></div></body></html>