Re: [dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

[Viktor Dukhovni]

> On Mar 2, 2021, at 5:41 PM, Florian Weimer <f...@deneb.enyo.de> wrote:
> 
> Typical iterative resolvers retry a different authoritative server on
> REFUSED, so changing authoritative server behavior in this way before
> iterative resolvers filter such queries is probably not a good idea.

Yes, this is why I'd recommend the synthetic answer, at least initially.
If some day enough of the legitimate resolvers stop forwarding such
queries, just refusing them would become more attractive.

-- 
        Viktor.

_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations