On Thu, Dec 10, 2020 at 06:43:00PM +0100, Jeroen Massar via dns-operations wrote:
> Maybe one thing we as recursive operators could in theory do is to > detect https:// & http:// & ftp:// or just :// and NXDOMAIN those > queries directly instead of asking the root for something that cannot > work. Given a qname like "ftp://netgear.routerlogin.net/shares/"; aggressive NSEC caching makes it possible for a resolver to locally infer the non-existence of the ".com/shares/" TLD, and return a cached NXDomain response (with appropriate NSEC and RRSIG records should the query solicit those via the "DO" bit). Note that http://somename.example.com is a valid DNS name, for which example.com can choose to publish appropriate RRsets. So the prefix is not something that a forwarding resolver can in general choose to filter, but returning NSEC-derived NXDomain for fictional TLDs is entirely reasonable. -- Viktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
