On Wed, Feb 05, 2025 at 08:43:51PM -0500, Donald Eastlake <[email protected]> wrote a message of 28 lines which said:
> "invalid" certainly isn't perfect. Maybe it should have been > "non-existent" or something. Despite what RFC 6761 says, many resolvers will not return NXDOMAIN for names under .invalid. Testing with 250 RIPE Atlas probes, we see many resolvers returning dummy data: % blaeu-resolve --requested 250 --type SOA invalid [ERROR: NXDOMAIN] : 182 occurrences [localhost. nobody.invalid. 1 3600 1200 604800 10800] : 59 occurrences [ERROR: SERVFAIL] : 3 occurrences [localhost. nobody.invalid. 1 600 1200 604800 10800] : 1 occurrences Test #86858822 done at 2025-02-11T13:47:26Z So, you cannot rely on .invalid to guarantee the name does not exist. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
