Daniel Stirnimann <daniel.stirnim...@switch.ch> wrote: > > I would like BIND to also more gracefully handle qmin errors. This could > mean changing the to the query type A (See attached patch for BIND > 9.14.2) or disabling qmin on errors.
I tend to think that making A queries instead of NS is the best way to reduce the complexity of workarounds for interop problems. The idea of using NS queries for qmin is partly my fault (https://mailarchive.ietf.org/arch/msg/dns-privacy/gAgGx9Zz6W0OfyRdJ0Rx7xxmHDg) I was trying to start a discussion with a starting point that minimizes information leakage, in particular it tries not to leak the query type. But this algorithm vigorously exposes lame delegations that do not normally cause failures in normal resolution (though a malicious client could cause the same resolution failures by making NS queries). A queries don't do this because they don't cause broken apex NS RRsets to evict working delegation NS RRsets (RFC 2181 ranking). I kind of expected more discussion about interop problems while RFC 7816 was in the works, or while implementations were in the works - after all the algorithm is an example in a non-normative appendix to an experimental RFC ... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Humber, Thames: Northeast becoming variable 3 or 4, then south 4 or 5 later. Slight occasionally moderate. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
