--- Begin Message ---
Thank you David. That change from NXDOMAIN to NOERROR/NODATA and things going
"boom" is exactly what we are looking for community input towards. Do folks
know of applications, or things like suffix search list processing, that will
change their behavior.
Matt
On 6/2/22, 5:22 PM, "David Conrad" <d...@virtualized.org> wrote:
Hi,
On Jun 1, 2022, at 12:39 AM, Petr Špaček <pspa...@isc.org> wrote:
> On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:
>>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries
with no SOA provided in the authority section.
>>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries
with a SOA record. Some example queries for the TLD .foo are below:
>>> Configuration 3: Use a properly configured empty zone with correct NS
and SOA records. Queries for the single label TLD would return a NOERROR and
NODATA response.
>> I expect that's OK, especially if it's a TLD that's seriously
considered. I'd hope that "bad" usage is mainly sensitive to existence of
records of other types like A.
>
> Generally I agree with Vladimir, Configuration 3 is the way to go.
>
> Non-compliant responses are riskier than protocol-compliant responses,
and option 3 is the only compliant variant in your proposal.
Just to be clear, the elsewhere-expressed concern with configuration 3 is
that it exposes applications to new and unexpected behavior. That is, if
applications have been “tuned” to anticipate an NXDOMAIN and they get something
else, even a NOERROR/NODATA response, the argument goes those applications
_could_ explode in an earth shattering kaboom, cause mass hysteria, cats and
dogs living together, etc.
While I’ve always considered this concern "a bit" unreasonable, I figure
its existence is worth pointing out.
Regards,
-drc
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
