sth...@nethelp.no <sth...@nethelp.no> wrote: > > Agree that you should be able to ignore them. But as a practical matter, > ignoring them *may* result in the question being asked again and again, > while REFUSED *may* stop the client from asking more.
REFUSED leads to retries too: if the client is a legit resolver it will retry using the other authoritative servers. For example, when I changed private.cam.ac.uk from refusing external queries to replying with an empty answer, the load on our auth servers dropped by half. Retries following REFUSED are also one reason why the RFC 8482 minimal-any option is not refuse-any: when an ANY attack is bouncing off a recursive server, the authoritative server can reduce the power of the attack by returning a small cacheable answer. This reduces the load on the authoritative servers (no retries), and on the recursive servers (no need to recurse and retry), and reduces the volume of the attack traffic. Probe traffic like these sl/IN/ANY queries is a very different matter. I wouldn't expect any kind of reasonable behaviour, so it makes sense to drop the queries as early as possible. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ North Fitzroy, Sole: Easterly or southeasterly 4 to 6. Moderate or rough. Showers at first in northwest Fitzroy, otherwise fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users