> That's easily remedied, and would be a good addition to the protocol. The > first thing the client does is send a query to the candidate new nameserver > (possibly with "Christmas tree" options, e.g. DO set and so forth), and > check the reply looks sensible. If not, it doesn't use it. That way it > doesn't use any server that makes things worse. The query could be an NS > query for ".", but perhaps better a fixed records in .ARPA that does exist > & is signed.
I'm in meetings today so can't reply fully. We could simply propose NXDOMAIN.LOCAL.ARPA. as well. If the answer for that comes back the same as for DOMAIN.LOCAL.ARPA, we know we've got an "evil" resolver. :) Ray
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
