I think it's worth taking a step back though and asking a larger question:
if we are restoring the NXDOMAIN signal with the NXNAME pseudo type in the
NSEC record of NODATA responses, why do we also need to restore NXDOMAIN
into the RCODE field?
Because a bazillion existing clients expect to find it there.
I think we are talking past each other. If you're saying this approach is
better than black lies, I agree it is, but we would never standardize
black lies because it returns wrong results.
I think this rather hacky approach could work: a client sends a request
with the compact denial flag. The upstream does whatever it does and gets
a result. If the result is anything other than an NXNAME, return the
result and cache it normally. If it's a NXNAME, return the result, but
put it in a special cache that only returns results to subsequent queries
with the compact denial flag set, since they're the only ones that know
what NXNAME means. You might have the same result cached with a NXNAME
for compact denial clients and a white lie for other clients, but so be
it.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
