On Mon, 5 Nov 2018, Bob Harold wrote:
On Mon, Nov 5, 2018 at 1:51 PM Paul Vixie <p...@redbarn.org> wrote: because of deliberate reconfiguration or takedown, i'll hope that serve-stale offers authority operators (both apex and parent) a signalling pattern that says, "actually, i want this dead, NOW."Good point. I think that would mean that if using all the NS records in the cache fail to get a good response, then the resolver should check the parent domain to see if the NS records have changed or have been removed. (answers or NXDOMAIN being a good response in this case, REFUSED or LAME or timeout being bad responses) Would that work? Should that be in the draft?
Something along those lines should be added. But this particular approach might be too simple. What if the parent is also under DDOS attack? When can/should you look at the parent's parent (eg think Public Suffix boundaries) Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
