> On Feb 11, 2025, at 9:11 AM, Paul Hoffman <[email protected]> wrote: > > Caution: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > On Feb 11, 2025, at 08:46, John Levine <[email protected]> wrote: >> >> It appears that Stephane Bortzmeyer <[email protected]> said: >> >>> [localhost. nobody.invalid. 1 3600 1200 604800 10800] : 59 occurrences >> >> That's what Unbound returns. Comments in the config file say that it >> by default returns an empty stub for a bunch of names like .test and .invalid >> so the queries aren't set upstream. You can use config options to drop the >> query or return NXDOMAIN or REFUSED. >> >> This seems somewhere between a good idea and wrong. > > It also speaks loudly about the idea that people read and act consistently on > the entries in the SUDN registry. >
For whatever it’s worth, I think Unbound’s (presumably default) behavior here is the right thing to do. It matches my expectation for my argument that caching DNS servers "SHOULD, by default, generate immediate negative responses for all such queries”. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
