Hi Paul,
for any non-root server, an RD=0 question for example.onion should be
answered with SERVFAIL. this is a condition signal, and the condition
is "since i'm hearing this query, someone thinks i'm holding a
delegation, and i'm not, so i might be lame for some zone, so the
server (me, this authority server) has failed."
from what I've observed so far, there seem to be a consensus among the
authoritative servers out there :) They all answer out-of-bailiwick
queries with REFUSED. I haven't met any that would say SERVFAIL or
NOTAUTH or anything else. If you propose to normatively change this,
with the idea that it would make more sense, then OK, but dunno if it
has any benefit.
$ kdig @d.in-addr-servers.arpa. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 2834
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
$ kdig @a.ns.nic.cz. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 63681
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
$ kdig @a0.org.afilias-nst.info. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 45946
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
If you propose that onion. TLD (non-existing) and its subtree shall be
an exception (for very all auth servers) and answered differently than
other non-existent TLDs, then OK, but I simply don't like the idea.
Libor
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
