> On 6 Mar 2015, at 19:37, Bob Harold <[email protected]> wrote: > > I would be concerned about blocking RD=0 (non-recursive). That would prevent > me from check to be sure an entry was NOT in the cache, in some DNS server my > clients are using.
I thought cache probing was considered an unfortunate information leak :-) You can block rd=0 in BIND using a view with a match-recursive-only directive. So I think the only missing ACL is for ANY (and the similar RRSIG). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
