On Tue, May 17, 2016 at 03:44:29PM +0200, bert hubert <bert.hub...@powerdns.com> wrote a message of 31 lines which said:
> I expect PowerDNS might extend the root-nx-trust to other domains, This is what Unbound does (see section 8 of draft-ietf-dnsop-nxdomain-cut-03). https://www.unbound.net/documentation/unbound.conf.html harden-below-nxdomain: <yes or no> From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdo- main. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
