In message <[email protected]>, =?utf-8?Q?On d=C5=99ej_Sur=C3=BD?= writes: > Hey all, > > we have received a notice that Knot DNS adds an > answer in case the EDNS=1 (and higher) in the > response where RCODE=BADVERS (and OPT EDNS=0). > > The RFC 6891 doesn't forbid such behaviour: > > If a responder does not implement the VERSION level of the > request, then it MUST respond with RCODE=BADVERS. All responses > MUST be limited in format to the VERSION level of the request, but > the VERSION of each response SHOULD be the highest implementation > level of the responder. In this way, a requestor will learn the > implementation level of a responder as a side effect of every > response, including error responses and including RCODE=BADVERS. > > And in fact we think this might be a more > forward compatible behaviour than returning > an empty response with RCODE=BADVERS. > > (Sending it here as dnsext is concluded...) > > Cheers, > -- > Ondej Sur -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laboratoe CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:[email protected] http://nic.cz/ > ------------------------------------------- > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
Just setting BADVERS does not work for negative responses. You cannot distingish between a NOERROR NODATA and a NXDOMAIN response by just looking at the contents of the answer and authority sections unless you also include the DNSSEC records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
