On 2013-02-22, at 01:47, Mark Andrews <[email protected]> wrote: > In message <[email protected]>, George > Michaels > on writes: > >> On 21/02/2013, at 6:46 AM, Mark Andrews <[email protected]> wrote: >> >>> * it changes the response from NXDOMAIN to NOERROR NODATA. >> >> And why is that "wrong" ? I dont understand what you see as the outcomes. >> more query? bad DNS? load? > > For much the same reason that *.COM was bad. You *will* break things > that you are unaware of.
For clarity, the reason why the spec specifies NOERROR NODATA rather than NXDOMAIN is that the enclosing SOA is synthesised from the QNAME. Returning an NXDOMAIN with an SOA owner name of . was where we started, and (as pointed out by many) that breaks negative caching for most/all resolvers which is the opposite of what we want. Returning an NXDOMAIN with SOA owner name == QNAME seems wrong, since we're simultaneously saying that the name doesn't exist and returning an RRSet with the same name. Guessing at a different owner name for the SOA seems bad because at this point we're just making stuff up and surely it'll be wrong at least some of the time, and break negative caching again. Returning NOERROR NODATA with SOA owner name == QNAME seemed like the best option. It's still a form of negative response, which (according to our testing) is cached in a way that makes sense. For the record, we realise this is a hack. But it's a hack that facilitates new delegations to AS112 without risking lame delegations, which would be bad in their own way (lame delegations are to be expected when we have no central control over AS112 operators, and don't even know where they are in general, never mind how to contact the people who run them or check that they are not lame). Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
