[dns-operations] RCODE for bogon answers

Peter Koch pk at DENIC.DE
Thu Oct 11 18:29:49 UTC 2007

On Thu, Oct 11, 2007 at 12:45:48PM -0400, Sean Donelan wrote:

> Then would the best practice be to return the equivilent of NXDOMAIN
> for things blocked by name server policy?

that's what I'd call "defensive negative response", i.e. a response given
for queries that reach you as a consequence of a lame delegation you
cannot remove or that reach you because someone (ab)uses your server as
a forwarder.  The idea behind this response is to signal to the requesting
party that some configuration is wrong _and_ to also silence resolvers that
otehrwise ignore polite responses.

In the general case it's probably best to give a protocolly reasonable and
short response, such as SERVFAIL or REFUSED.

The Internet-Draft "Identifying and Reacting to Unsolicited DNS Queries",
which lists options seen in the wild has expired, but if people think it was
useful, I'd be happy to revive it <draft-koch-dns-unsolicited-queries-01.txt>.


More information about the dns-operations mailing list