On Mon, Apr 10, 2023 at 01:39:21PM +0000, Wessels, Duane wrote: > Perhaps: > > "A lame delegation is said to exist when one or more authoritative > servers designated by the delegating NS rrset or by the apex NS rrset > answers non-authoritatively for a zone".
This is a decent definition of the operational perspective. Once one can judge that the non-authoritative response (say REFUSED) is a persistent misconfiguration rather than a transient condition (or observed from just a deliberately shunned vantage point), then one might call the misconfigured delegation LAME. [ Note, the caveat above is not an endorsement of selective prior blocking of DNS queries. ] The nits are: - Naturally, non-response would also need to be considered a form of non-authoritative response. - A (progressive) delegation response to a query for a subdomain is not authoritative, and yet the parent's delegation is not LAME. - A truncated response (with just the question and an OPT RR) might well have aa=0 (if say the full response would be a delegation), and yet the delegation is not LAME. So non-LAME delegations will at times result in non-authoritative responses. Indeed particularly from .COM a large fraction of the responses are likely non-authoritative, and yet the root zone delegation to .COM is not LAME. :-) Perhaps we could say that a LAME delegation is one where the response for the zone apex SOA or NS RRset is (persistently) non-authoritative even after any TCP retries due to an initial truncated response. -- Viktor. P.S. Resolver-generated EDEs about LAME delegation may nevertheless be limited to what the resolver can discern one query/response at a time, i.e. non-productive delegation responses. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop