> On 15 May 2024, at 04:34, John Thurston <[email protected]> wrote: > > There are several 'special-use' domain names I'm pondering > • invalid. > • test. > • onion. > My read of the RFCs indicate they should result in NXDOMAIN, and not be > passed for resolution. > RFC 6761 (test. Section 6.2.4 / invalid. Section 6.4.4) > >> caching DNS servers SHOULD, by default, generate immediate negative >> responses for all such queries. > > RFC 7686 (onion. Section 2.4) > >> where not explicitly adapted to interoperate with Tor, SHOULD NOT attempt to >> look up records for .onion names. They MUST generate NXDOMAIN for all such >> queries. > > Is there some reason these should not just be hammered into our RPZ ?
Because despite what you quote above, having a resolver generate negative results without appropriate NSEC and RRSIG records actually causes problems when they are sent by validating clients. Having a local copy of the root zone and returning answers from that suppresses the traffic and the answers are verifiable. > -- > -- > Do things because you should, not just because you can. > > John Thurston 907-465-8591 > [email protected] > Department of Administration > State of Alaska > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
