Paul Hoffman writes: > On Mar 10, 2015, at 8:46 AM, David C Lawrence <t...@akamai.com> wrote: > > One down side there, however, is that REFUSED as understood by > > resolvers commonly has the semantic currently that the name is not > > hosted by the server at all. > > If a resolver is sending an ANY before it sends its actual request, that > could be a problem. However, they shouldn't be doing that.
Yeah, we've well established they shouldn't. Bad guys often don't care about what they shouldn't be doing, though, and (untested assertion follows) using REFUSED responses for ANY queries of random names could be a pretty useful vector for getting all of the servers for a domain declared lame. I'm not saying that ultimately the REFUSED approach is unworkable, just that I'd like to see some practical testing of it in addition to the support of the philosophical purity of it. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
