In message <20161019140954.31332.qm...@ary.lan>, "John Levine" writes: > >You may not care that validating stub resolvers that ask for > >example.local get back answers that can be validated as NXDOMAIN > >without leaking queries to the root but I do. Just adding the zone > >locally without having the insecure delegation results in just that > >condition. > > It just occurred to me that we seem to disagree about what problem > we're solving here. > > If we see a DNS query for .local or .onion, an application is trying > to use mDNS or Tor on a machine that doesn't implement them. On > machines that do implement mDNS and Tor, neither does DNSSEC > signatures, so there is no reason to provide answers that the > application is not looking for. > > So a cache stub that provides unsigned answers to .local and .onion > queries is just fine. If the client treats that as SERVFAIL or > whatever it does with unverified answers, that's fine too.
SERVFAIL is a temporary error. NXDOMAIN is a permanent error which is cachable. SERVFAIL is not "fine". > R's, > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop