On Jul 30, 2013, at 4:55 PM, Anand Buddhdev <[email protected]> wrote:
> BIND is trying to pass on the zone unchanged, but will of course not > serve any out-of-zone records. Knot will not serve out-of-zone records, > but will not pass them on either. > > What do you all think is the correct behaviour? Or are both correct? > > PS. I realise that Knot's behaviour could break a DNSSEC-signed zone, > but then, no sane signer will sign a zone with out-of-zone records, so > that the process of signing a zone would force the operator to clean up > their zone. Honestly, anyone sticking out-of-zone information in their zone needs to be sent back to the 1980s or early 1990s where they belong. I've long been in favor of breaking zones that do "invalid" things. I set check-names fail on master zones and warn on slave zones that I serve. This would be something where I would expect a modern master server to treat it as a fatal error and the slave to ignore (both bind and knot are) them in the slave. As far as saving to disk? I think the data is out of scope and should not be written to disk, as it's just junk data. - Jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
