libor.peltan wrote on 2021-11-30 01:11:
...
I suggest to remove any specific errcode (NXDOMAIN, REFUSED) mentions
from such requirement. In the future, those errcodes and their names may
be altered. I quite like the Peter's original proposal, though any
wording can always be slightly improved. I don't dare to suggest any
wording though.
a query for example.onion or even "onion" has no business being sent to
an authority server to which this domain has not been delegated. so
there is a right answer and it is generally not NXDOMAIN since that
would be a knowledge signal (end to end) and the server can have no
knowledge. obviously the root servers have and can signal such knowledge
so NXDOMAIN would be the right answer from them.
the right answer is likewise not REFUSED since that's a policy signal
and we won't be asking that server implementers hard code "onion" or
other special-use names, nor that server operators configure such names.
there are too many servers, and the list of special-use domains will
change over time. a policy signal for special-use names cannot scale.
this also rules out "don't answer at all" which is also a policy signal.
for any non-root server, an RD=0 question for example.onion should be
answered with SERVFAIL. this is a condition signal, and the condition is
"since i'm hearing this query, someone thinks i'm holding a delegation,
and i'm not, so i might be lame for some zone, so the server (me, this
authority server) has failed."
vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
