On Thu, 2020-07-30 at 02:58 +0100, Tony Finch wrote: > Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > Then there is RRSIG, which seems bit alarming. While direct queries > > should not do anything special, I noticed two troublesome properties: > > > > 1) The answers can be pretty large (amplification hazard with UDP). > > 2) The queries can be really slow compared to other types. > > Yes. From an implementation perspective, RRSIG queries work in a very > similar way to ANY queries. They have the advantage that no-one is likely > to think an RRSIG query is useful, so it's reasonable to NOTIMP them. > If QTYPE=ANY is forbidden for early data then QTYPE=RRSIG should be too.
NOTIMP tells the client 'I do not support the QUERY opcode'. That is not a message you want to send out, unless you want people to just stop querying you. (PowerDNS has picked REFUSED as the response to RRSIG queries). Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy