On 11/02/2025 21:29, John Levine wrote:
It appears that Wessels, Duane <[email protected]> said:
For whatever it’s worth, I think Unbound’s (presumably default) behavior here
is the right thing to do.
It matches my expectation for my argument that caching DNS servers "SHOULD, by
default, generate immediate
negative responses for all such queries”.
It's returning NOERROR with an invented SOA in the authority section unless you
ask for SOA in which case you get it as the answer.
That seems less right than returning NXDOMAIN. You can easily make it do that by
adding a line to the config file but that's not the default.
For special-use domain names, Unbound behaves the same as with locally
served DNS zones (empty) zones by default.
That is NXDOMAIN for everything in the zone and NOERROR for the apex
where (fabricated) SOA and NS records exist.
Best regards,
-- Yorgos
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
