On 2026-01-12 at 14:01 +0800, 仇渝淇 wrote: > RD Flag Clarification draft-qiu-dnsop-rd-flag-clarification-01 This > draft clarifies how resolvers should handle the RD flag when it is > set to 0. This standardizes behavior to stop loop amplification > attacks like "TsuKing”. > Link: > https://datatracker.ietf.org/doc/draft-qiu-dnsop-rd-flag-clarification/
On section 4.3.1, stating: > * If the name is known to not exist (e.g., from a cached > NXDOMAIN or a negative cache entry compliant with > [RFC2308]), > the resolver SHOULD return a response with RCODE=NXDOMAIN. In addition to RFC2308, I would add a reference to the possibility of knowing the non-existence of the name due to DNSSEC-Validated entries in cache (RFC 8198: Aggressive Use of DNSSEC-Validated Cache) Regards
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
