> On Nov 13, 2015, at 11:50 AM, Stephane Bortzmeyer <[email protected]> wrote: > > On Thu, Nov 12, 2015 at 06:13:04PM +0000, > Wessels, Duane <[email protected]> wrote > a message of 57 lines which said: > >> As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive. >> >> For a name like foo.bar.example.com and an NXDOMAIN response from >> example.com we can't assume that there would be a zone cut between >> foo and bar. > > Could anyone explain in detail why is it so? [I don't understand why > the zone cut is important here: using the SOA does not depend on > whether there is a zone cut or not.] > > Let's say I query foo.bar.example to example's name servers. I get: > > ... > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64182 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 > ... > ;; QUESTION SECTION: > ;foo.bar.example. IN SOA > ... > > example. 5400 IN SOA nsmaster.nic.example. > hostmaster.nic.example. ( > 2222956935 ; serial > 3600 ; refresh (1 hour) > .... > > It can mean only one thing, that bar.example does not exist. How could > it be different? >
If 'bar.example IN A 127.0.0.1' existed in the example zone, what would you expect for the response to your query above? DW _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
