In message <20161019140954.31332.qm...@ary.lan>, "John Levine" writes:
> >You may not care that validating stub resolvers that ask for
> >example.local get back answers that can be validated as NXDOMAIN
> >without leaking queries to the root but I do.  Just adding the zone
> >locally without having the insecure delegation results in just that
> >condition.
> It just occurred to me that we seem to disagree about what problem
> we're solving here.
> If we see a DNS query for .local or .onion, an application is trying
> to use mDNS or Tor on a machine that doesn't implement them.  On
> machines that do implement mDNS and Tor, neither does DNSSEC
> signatures, so there is no reason to provide answers that the
> application is not looking for.
> So a cache stub that provides unsigned answers to .local and .onion
> queries is just fine.  If the client treats that as SERVFAIL or
> whatever it does with unverified answers, that's fine too.

SERVFAIL is a temporary error.
NXDOMAIN is a permanent error which is cachable.

SERVFAIL is not "fine".

> R's,
> John
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:

DNSOP mailing list

Reply via email to