Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

For instance, some authoritative name servers embedded in load balancers reply properly to A queries but send REFUSED to NS queries. >> If my policy is not to tell you about NS records, that's my policy. >> It may be a stupid policy that causes downstream problems, but it's my >>

Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

On Sun, 28 Dec 2015, John Levine wrote: Being listed as nameserver while unconditionally refusing all NS queries leads to a guaranteed failure with DNSSEC as there would not be a signed NS RRset published anywhere. Yes, we agree it could have bad results. The NS RR states that the

Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

On Sunday, December 27, 2015 10:31:52 PM Paul Wouters wrote: > The section in question of the draft under discussion talks about the > specific case where a load balancer is returning REFUSED because it > did not implement NS queries, and that such behaviour is a violation > of the RFC. strictly

Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

>> Unless, of course, the target doesn't like you and refuses your >> queries for policy reasons. > >Note that I said "unconditionally refusing all NS queries". Conditionally >refusing queries based on query source behaviour is off-topic. Perhaps the target doesn't like anyone. Here's the entire

Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

On Sun, Dec 27, 2015 at 10:31 PM, Paul Wouters wrote: > On Sun, 28 Dec 2015, John Levine wrote: > > Being listed as nameserver while unconditionally refusing all NS queries >>> leads to a guaranteed failure with DNSSEC as there would not be a signed >>> NS RRset published