On Sat, 5 Oct 2024, Philip Homburg wrote:
Other way around, if the client doesn't understand NXNAME, the recursive
needs to get the real signed NXDOMAIN to pass along.
If a recursive resolver passes NXDOMAIN to a requesting validator, then
the result has to prove NXDOMAIN, so there has to be either an NSEC or
NSEC3 record that proves that the name does not exist. If the authoritative
proves NODATA, then this will fail.
Right, that's the problem when this hack turns NXDOMAIN into fake NODATA.
Unless you know that the ultimate client understands NXNAME, I think the
best you can do is white lies with considerably more work and larger
respones.
R's,
John
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
