On Thu, Sep 11, 2014 at 4:28 PM, Mark Andrews <ma...@isc.org> wrote: > Actually timeout is much, much, much worse.
When I experiment empirically there seem to be caches that will fail the resolution if one of the auth servers returned REFUSED or SERVFAIL. Different numbers for each, but both trigger it. Meanwhile timeouts do cause delay, but a greater percentage of resolutions succeed. > Delegation should never succeed unless you can get a SOA response > for the zone being delegated from the nameservers being delegated > to. Of course, but that's not what .is do. They check for a completely different name first, not in the zone being delegated, and expect to see an error. -- Colm _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs