Paul Wouters writes: > In the non-DDOS case, the auth server is reachable and none of the data > is getting additional TTL added: > > Answers from authoritative servers that have a DNS Response Code of > either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have > refreshed the data at the resolver. In particular, this means that > this method is not meant to protect against operator error at the > authoritative server that turns a name that is intended to be valid > into one that is non-existent, because there is no way for a resolver > to know intent. > > Although perhaps it should also explicitely state this regarding > ServFail ?
I personally have a very strong opposition to including servfail. Servfail is an extremely clear indication that the authority that was contacted is having some sort of structural problem. It is a very distinct condition from being told by the authority that the name does or does not exist. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
