On 7/8/19 10:59 AM, Ted Lemon wrote: > BTW, it would also be perfectly legitimate for an authoritative server > that doesn’t provide recursion to respond with NXDOMAIN for any query > within a domain that’s delegated to it,
But again, since you have no SOA to return, you have no record to attach a TTL to, so retries, retries, retries. > Although now that I think about this, another problem we’d face here is > that DNSSEC would break this completely. If you have a secure > delegation, but don’t have the ability to sign the zone, you can’t > respond authoritatively even if the delegation is pointing at your > server. So here the only real fix is at the registrar. Not gonna argue that the best fix is at the registrar. As an owner of a nameserver, I really should have the right to say "no, you can't point that to me." But there's other reasons for REFUSED as well (security, ddos filtering, etc) and I should have a means to add to the reply, "don't ask again for X seconds" -- Michael Sheldon Dev-DNS Services GoDaddy.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
