Ted Lemon wrote on 2021-11-30 17:04:
I don’t see how any answer from an authoritative server other than REFUSED really makes sense for a domain for which that server is not authoritative. It hasn’t failed. It’s been asked a bogus question. It doesn’t make sense for it to theorize that it might be misconfigured.
i only use REFUSED if the same question from some other query source (by IP) or signed differently (with TSIG or SIG(0)) could possibly work. for out-of-authority requests, the server must fail to answer.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
