[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Paul Hoffman paul.hoffman at icann.org
Tue Mar 2 15:50:29 UTC 2021

On Mar 2, 2021, at 5:23 AM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> My suggestion (seriously): prohibit NSEC and RRSIG queries.

Prohibiting queries is pointless. Systems query freely, even if stupidly. ( Have you ever see the query traffic at the root servers? :-) )

A possibly-better option would be to define what the responses to pointless queries could be. Given that we know that different authoritative server software already offer different answers for this particular query, there is no need to define just one answer, but maybe list a set of answers (with logic for each).

Or, we can just ignore it again until it comes up again fiveish years from now. Any attempted update to RFC 4035 will cause some people to squawk even if it makes the intent clearer.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210302/32488ee3/attachment.bin>

More information about the dns-operations mailing list