For instance, some authoritative name servers embedded in load
balancers reply properly to A queries but send REFUSED to NS queries.
>> If my policy is not to tell you about NS records, that's my policy.
>> It may be a stupid policy that causes downstream problems, but it's my
>>
On Sun, 28 Dec 2015, John Levine wrote:
Being listed as nameserver while unconditionally refusing all NS queries
leads to a guaranteed failure with DNSSEC as there would not be a signed
NS RRset published anywhere.
Yes, we agree it could have bad results.
The NS RR states that the
On Sunday, December 27, 2015 10:31:52 PM Paul Wouters wrote:
> The section in question of the draft under discussion talks about the
> specific case where a load balancer is returning REFUSED because it
> did not implement NS queries, and that such behaviour is a violation
> of the RFC.
strictly
>> Unless, of course, the target doesn't like you and refuses your
>> queries for policy reasons.
>
>Note that I said "unconditionally refusing all NS queries". Conditionally
>refusing queries based on query source behaviour is off-topic.
Perhaps the target doesn't like anyone. Here's the entire
On Sun, Dec 27, 2015 at 10:31 PM, Paul Wouters wrote:
> On Sun, 28 Dec 2015, John Levine wrote:
>
> Being listed as nameserver while unconditionally refusing all NS queries
>>> leads to a guaranteed failure with DNSSEC as there would not be a signed
>>> NS RRset published