* Viktor Dukhovni: > * For RRSIG and NSEC3, authoritative servers MAY respond with REFUSED, or, > for RRSIG, assuming the qname exists, MAY return either a synthetic answer > of their choice or some non-empty subset of the actual RRSIG records. For > synthetic replies, a zero TTL answer with an arbitrary well-formed payload > will do, there's no way to validate it and no point in caching it.
Typical iterative resolvers retry a different authoritative server on REFUSED, so changing authoritative server behavior in this way before iterative resolvers filter such queries is probably not a good idea. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
