Ángel writes: > I have seen the opposite problem than the op, servers returning NXDOMAIN > when there are actually child records, and they should have returned > NODATA, such as querying _domainkeys.
Right, this is absolutely a problem too, with the practical consequence that it thwarts qname minimisation (RFC 7816) and aggressive negative caching as you called out from 8020. To be clear: > Returning NODATA instead of NXDOMAIN would seem mostly to be an > inefficiency, but section 4 of rfc 8020 documents how returning NXDOMAIN > can mitigate some random QNAME attacks. Yes, *proper and accurate* NXDOMAIN will do that. But if you answer NXDOMAIN for an empty non-terminal then you risk resolvers (not only qname-minimising ones) not being able to properly resolve subdomains that really do exist. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
