On Mon, 29 Nov 2021, RFC Errata System wrote:
Original Text
-------------
5. Authoritative DNS Servers: Authoritative servers MUST respond to
queries for .onion with NXDOMAIN.
Corrected Text
--------------
5. Authoritative DNS Servers: Authoritative servers MUST respond
non-authoritatively to
queries for names in .onion.
The original text for 5 and 6 is conflicting. A name server cannot respond with
NXDOMAIN (which is an authoritative answer) without having a zone configured to
serve that NXDOMAIN from. Clearly the intent of the text is that clients will
not find authoritative answers to .onion queries anywhere in the DNS.
The corrected text does not describe what to return though. I guess the
text implies REFUSED, but perhaps the WG reasoned this was not good as
it would lead to more queries to other servers or instances of the
authoritative server set?
So I agree the Original text has an issue. I haven't been convinced yet
the suggested solution is the right one. After all, we are talking about
"special domains", so perhaps it does warrant an NXDOMAIN despite that
normally being used only within an authoritative context.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
