> The PowerDNS recursor has recently gained support for the "dont-query"
> setting:
>
> The DNS is a public database, but sometimes contains delegations to private
> IP addresses, like for example 127.0.0.1. This can have odd effects,
> depending on your network, and may even be a security risk. Therefore, since
> version 3.1.5, the PowerDNS recursor by default does not query private space
> IP addresses. This setting can be used to expand or reduce the limitations.
>
> It defaults to blocking RFC1918 addresses.
>
> arg().set("dont-query", "If set, do not query these netmasks for DNS
> data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128,
> fe80::/10";
>
> This has solved several odd situations with misconfigured domains listing
> 10.0.0.1 and 127.0.0.1 as some of their nameservers.
if there was an rfc that talked about this, it would be more widely
implemented. (i'm not sure bind wouldn't follow powerdns's lead on this
topic, but i am sure that if there was an rfc, bind would have a similar
feature.) so the key question is, have we got consensus on the behaviour?
(compared to consensus, finding someone to write it up is relatively easy.)
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
