On Sun, 28 Dec 2015, John Levine wrote:
NEW
For instance, some authoritative name servers embedded in load
balancers reply properly to A queries but send REFUSED to NS queries.
This behaviour violates the DNS protocol (see Section ??? of [RFC??],
and improvements to the DNS are impeded if we accept such behaviour
as normal.
END
Does anyone has an idea of the reference to use to replace the "???"
For me, such a behavior is so obviously wrong that I cannot think of a
precise chapter-and-verse to quote...
I don't see why it's not valid behavior. REFUSED means "The name
server refuses to perform the specified operation for policy reasons."
If my policy is not to tell you about NS records, that's my policy.
It may be a stupid policy that causes downstream problems, but it's my
right to be stupid.
Being listed as nameserver while unconditionally refusing all NS queries
leads to a guaranteed failure with DNSSEC as there would not be a signed
NS RRset published anywhere. It's much more than being stupid, it is a
blatant protocol violation and definitely NOT valid behaviour.
Where to point to is indeed tricky. Maybe one could point to
https://tools.ietf.org/html/rfc1035#section-3.3.11
The NS RR states that the named host should be expected to have a zone
starting at owner name of the specified class.
I would interpret that to mean that a parental NS glue record signifies
that the RDATA target must point to something that has that zone at the
owner name. Thus the NS queries at that target should return proper
results for NS queries (to itself)
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
