[dns-operations] [Ext] A? ftp://netgear.routerlogin.net/shares/.
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Dec 10 18:00:36 UTC 2020
On Thu, Dec 10, 2020 at 06:43:00PM +0100, Jeroen Massar via dns-operations wrote:
> Maybe one thing we as recursive operators could in theory do is to
> detect https:// & http:// & ftp:// or just :// and NXDOMAIN those
> queries directly instead of asking the root for something that cannot
> work.
Given a qname like "ftp://netgear.routerlogin.net/shares/" aggressive
NSEC caching makes it possible for a resolver to locally infer the
non-existence of the ".com/shares/" TLD, and return a cached NXDomain
response (with appropriate NSEC and RRSIG records should the query
solicit those via the "DO" bit).
Note that http://somename.example.com is a valid DNS name, for which
example.com can choose to publish appropriate RRsets. So the prefix
is not something that a forwarding resolver can in general choose to
filter, but returning NSEC-derived NXDomain for fictional TLDs is
entirely reasonable.
--
Viktor.
More information about the dns-operations
mailing list