Hi, On Jun 1, 2022, at 12:39 AM, Petr Špaček <[email protected]> wrote: > On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote: >>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries with >>> no SOA provided in the authority section. >>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries with >>> a SOA record. Some example queries for the TLD .foo are below: >>> Configuration 3: Use a properly configured empty zone with correct NS and >>> SOA records. Queries for the single label TLD would return a NOERROR and >>> NODATA response. >> I expect that's OK, especially if it's a TLD that's seriously considered. >> I'd hope that "bad" usage is mainly sensitive to existence of records of >> other types like A. > > Generally I agree with Vladimir, Configuration 3 is the way to go. > > Non-compliant responses are riskier than protocol-compliant responses, and > option 3 is the only compliant variant in your proposal.
Just to be clear, the elsewhere-expressed concern with configuration 3 is that it exposes applications to new and unexpected behavior. That is, if applications have been “tuned” to anticipate an NXDOMAIN and they get something else, even a NOERROR/NODATA response, the argument goes those applications _could_ explode in an earth shattering kaboom, cause mass hysteria, cats and dogs living together, etc. While I’ve always considered this concern "a bit" unreasonable, I figure its existence is worth pointing out. Regards, -drc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
