> On 6 Mar 2015, at 19:37, Bob Harold <rharo...@umich.edu> wrote: > > I would be concerned about blocking RD=0 (non-recursive). That would prevent > me from check to be sure an entry was NOT in the cache, in some DNS server my > clients are using.
I thought cache probing was considered an unfortunate information leak :-) You can block rd=0 in BIND using a view with a match-recursive-only directive. So I think the only missing ACL is for ANY (and the similar RRSIG). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
