Mark Andrews wrote on 2022-11-11 02:26:
... 4. Caching DNS Servers: Caching servers MUST [or SHOULD] NOT attempt to resolve .alt names in the global DNS root. They MAY respond to queries for such names with NXDOMAIN [or REFUSED?].Caching servers MUST NOT intercept DO=1 queries as the client will not be able to validate such responses. The caching recursive server MAY synthesise a provable NXDOMAIN response as per RFC 8198. Caching servers SHOULD perform QNAME minimisation as per RFC 7816 for the .alt namespace by default. Querying for alt/DS or alt/NS will achieve this without leaking the query type.
i'm comfortable with either. a query for anything.ALT appearing on any wire is a sign of misconfiguration. dropping it, answering insecurely, answering servfail, or letting qname minimization from the root zone happen and sending secure nxdomain, are all in-scope here. as long as we are protecting the root zone from .ALT query storms, we're good. no other predictable or reliable response should be specified. makers and operators who allow .ALT queries to appear on the wire should learn fear and should live in fear. being liberal in how we receive those queries is in absolutely nobody's best interests.
-- P Vixie _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
