Mark Andrews <[email protected]>于2016年3月14日周一 下午12:01写道:
> > > another choice : Authority Server return NODATA/NXDOMAIN as nxdomain > cut, > > but no change on DNS cache. Some impact on NSEC/NSEC3 records. > > > > - no names under foo.example => NXDOMAIN at foo.example > > If you want to signal NOERROR + bottom of zone you need a new rcode > and signaling that you support the new rcode. The above imply is > just wrong as it changes what NXDOMAIN means. > > > - zone with bar.foo.example, where foo.example does not exist => NODATA > > or NOERROR + NULL Answer at foo.example > > Well a explict NODATA rcode would be useful and again signaling of support > for the new rcode is needed. > > NXDOMAIN at a empty non terminal only came about as the result of > bad wording in RFC 2535. "no names" should have been "no names > with data" (the difference is crucial in determining which rcode > is returned). Only RFC 2535 nameservers are allowed to return > NXDOMAIN for a empty non-terminal and they should few and far between > these days. Every other NXDOMAIN at a empty non terminal is the > result of miss-interpreting STD 13 or a operational error e.g. > missing delegation in a parent zone. > the point is : change NXDOMAIN means, indicated with subtree info, yes or no ? if dns cache deal with the nxdomain cut, that is yes. we can change the NXDOMAIN means on authority server response, not create new rcode ( same benefit at draft-ietf-dnsop-qname-minimisation , reduce flush domaintree/hashtable on dns cache ) -- Best Regards Pan Lanlan
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
