On 12. 02. 25 11:33, Yorgos Thessalonikefs wrote:
On 11/02/2025 21:29, John Levine wrote:
It appears that Wessels, Duane <dwess...@verisign.com> said:
For whatever it’s worth, I think Unbound’s (presumably default)
behavior here is the right thing to do.
It matches my expectation for my argument that caching DNS servers
"SHOULD, by default, generate immediate
negative responses for all such queries”.
It's returning NOERROR with an invented SOA in the authority section
unless you
ask for SOA in which case you get it as the answer.
That seems less right than returning NXDOMAIN. You can easily make it
do that by
adding a line to the config file but that's not the default.
For special-use domain names, Unbound behaves the same as with locally
served DNS zones (empty) zones by default.
That is NXDOMAIN for everything in the zone and NOERROR for the apex
where (fabricated) SOA and NS records exist.
BIND does the same, and I think it's fine. It has worked like that since
2012 (in BIND, by default), so if a protocol police comes after me today
I'm going to claim it's barred by the statute of limitations :D
But more seriously. If Joe wants a name which gets semi-reliable
NXDOMAIN, perhaps go for nonexistent.invalid? At least it says what you
want to do in the name.
No amount of text will _guarantee_ a specific answer on the wide and
wild Internet, and a new draft is going to have worse adoption rates
than RFC 6761 from 2013.
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
