[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?
Daniel Kalchev
daniel at digsys.bg
Fri Sep 12 08:05:47 UTC 2014
On 11.09.14 21:51, Colm MacCárthaigh wrote:
> For example if a provider booted a box with an empty configuration, it
> would be much better to timeout queries than respond with SERVFAIL or
> REFUSED.
The protocol expects and response from the server. If no response, the
server is considered down. Some of the proposed ways to fix recent DDoS
involve temporarily suspending queries to servers that do not respond
(in time). This is what will happen to your authoritative server, if you
configure it to exhibit such behavior.
What you intend to do is probably best served by "connection refused"
response.
Daniel
More information about the dns-operations
mailing list