On Tue, 2021-03-02 at 18:06 -0200, Viktor Dukhovni wrote: > > On Mar 2, 2021, at 5:41 PM, Florian Weimer <[email protected]> wrote: > > > > Typical iterative resolvers retry a different authoritative server on > > REFUSED, so changing authoritative server behavior in this way before > > iterative resolvers filter such queries is probably not a good idea. > > Yes, this is why I'd recommend the synthetic answer, at least initially. > If some day enough of the legitimate resolvers stop forwarding such > queries, just refusing them would become more attractive.
Compared to REFUSED, the synthetic RRSIG has the benefit of not causing a retry towards another auth (as Florian said); why not go another step then and make it cacheable? You say 'no point in caching', I agree, but then how about going another step and saying 'no point in a resolver repeating this question on behalf of a client every second' - so put a juicy TTL on it. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
