On Tue, 2021-03-02 at 15:50 +0000, Paul Hoffman wrote: > On Mar 2, 2021, at 5:23 AM, Peter van Dijk <[email protected]> > wrote: > > My suggestion (seriously): prohibit NSEC and RRSIG queries. > > Prohibiting queries is pointless. Systems query freely, even if stupidly. ( > Have you ever see the query traffic at the root servers? :-) )
Yep! Vladimir also corrected my wording there :) > A possibly-better option would be to define what the responses to pointless > queries could be. Given that we know that different authoritative server > software already offer different answers for this particular query, there is > no need to define just one answer, but maybe list a set of answers (with > logic for each). Codifying current ambiguity into better specified ambiguity, while not reducing answer variability, feels like a waste of RFC (update) bandwidth to me. > Or, we can just ignore it again until it comes up again fiveish years from > now. Any attempted update to RFC 4035 will cause some people to squawk even > if it makes the intent clearer. > The earlier thread deemed both variants legitimate, in which case there is nothing to do. My reading of the current text is that the delegation response is the right one; and, as stated, my preference if we change anything is to, now worded better, make these queries pointless and allow servers to respond with absolutely nothing useful to them. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
