On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:
On 23/05/2022 15.48, Thomas, Matthew via dns-operations wrote:
Configuration 1: Generate a synthetic NXDOMAIN response to all queries
with no SOA provided in the authority section.
I believe the protocol says not to cache such answers at all. Some
implementations chose to cache at least a few seconds, but I don't think
all of them. Breaking caching seems risky to me, as traffic could
increase very much (if the TLD was queried a lot).
Configuration 2: Generate a synthetic NXDOMAIN response to all queries
with a SOA record. Some example queries for the TLD .foo are below:
It still feels a bit risky to answer in this non-conforming way, and I
can't really see why attempt that. At apex the NXDOMAIN would deny the
SOA included in the very same answer...
Configuration 3: Use a properly configured empty zone with correct NS
and SOA records. Queries for the single label TLD would return a
NOERROR and NODATA response.
I expect that's OK, especially if it's a TLD that's seriously
considered. I'd hope that "bad" usage is mainly sensitive to existence
of records of other types like A.
Generally I agree with Vladimir, Configuration 3 is the way to go.
Non-compliant responses are riskier than protocol-compliant responses,
and option 3 is the only compliant variant in your proposal.
Reasoning: Behavior for non-compliant answer is basically undefined
because most RFCs do not describe what to do when a MUST condition is
violated. It's hard to see how further evaluation of undefined behavior
would help with determining further course of action.
--
Petr Špaček @ Internet Systems Consortium
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
