On Mon, Apr 10, 2023 at 01:39:21PM +0000, Wessels, Duane wrote:
> Perhaps:
>
> "A lame delegation is said to exist when one or more authoritative
> servers designated by the delegating NS rrset or by the apex NS rrset
> answers non-authoritatively for a zone".
This is a decent definition of the operational perspective. Once one
can judge that the non-authoritative response (say REFUSED) is a
persistent misconfiguration rather than a transient condition (or
observed from just a deliberately shunned vantage point), then one might
call the misconfigured delegation LAME. [ Note, the caveat above is not
an endorsement of selective prior blocking of DNS queries. ]
The nits are:
- Naturally, non-response would also need to be considered a form of
non-authoritative response.
- A (progressive) delegation response to a query for a subdomain is not
authoritative, and yet the parent's delegation is not LAME.
- A truncated response (with just the question and an OPT RR) might well
have aa=0 (if say the full response would be a delegation), and yet
the delegation is not LAME.
So non-LAME delegations will at times result in non-authoritative
responses. Indeed particularly from .COM a large fraction of the
responses are likely non-authoritative, and yet the root zone delegation
to .COM is not LAME. :-)
Perhaps we could say that a LAME delegation is one where the response
for the zone apex SOA or NS RRset is (persistently) non-authoritative
even after any TCP retries due to an initial truncated response.
--
Viktor.
P.S. Resolver-generated EDEs about LAME delegation may nevertheless
be limited to what the resolver can discern one query/response
at a time, i.e. non-productive delegation responses.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
