On Sun, 28 Dec 2015, John Levine wrote:
Being listed as nameserver while unconditionally refusing all NS queries
leads to a guaranteed failure with DNSSEC as there would not be a signed
NS RRset published anywhere.
Yes, we agree it could have bad results.
The NS RR states that the named host should be expected to have a zone
starting at owner name of the specified class.
I would interpret that to mean that a parental NS glue record signifies
that the RDATA target must point to something that has that zone at the
owner name. Thus the NS queries at that target should return proper
results for NS queries (to itself)
Unless, of course, the target doesn't like you and refuses your
queries for policy reasons.
Note that I said "unconditionally refusing all NS queries". Conditionally
refusing queries based on query source behaviour is off-topic.
The section in question of the draft under discussion talks about the
specific case where a load balancer is returning REFUSED because it
did not implement NS queries, and that such behaviour is a violation
of the RFC. Not implementing NS queries on an authoritative nameserver
results in a DNS implementation that indeed violates the RFC. The question
was, which part of which RFC is the best reference to point to.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
