[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Peter van Dijk peter.van.dijk at powerdns.com
Tue Mar 2 16:30:42 UTC 2021

On Tue, 2021-03-02 at 15:50 +0000, Paul Hoffman wrote:
> On Mar 2, 2021, at 5:23 AM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> > My suggestion (seriously): prohibit NSEC and RRSIG queries.
> Prohibiting queries is pointless. Systems query freely, even if stupidly. ( Have you ever see the query traffic at the root servers? :-) )

Yep! Vladimir also corrected my wording there :)

> A possibly-better option would be to define what the responses to pointless queries could be. Given that we know that different authoritative server software already offer different answers for this particular query, there is no need to define just one answer, but maybe list a set of answers (with logic for each).

Codifying current ambiguity into better specified ambiguity, while not
reducing answer variability, feels like a waste of RFC (update)
bandwidth to me.

> Or, we can just ignore it again until it comes up again fiveish years from now. Any attempted update to RFC 4035 will cause some people to squawk even if it makes the intent clearer.

The earlier thread deemed both variants legitimate, in which case there
is nothing to do. My reading of the current text is that the delegation
response is the right one; and, as stated, my preference if we change
anything is to, now worded better, make these queries pointless and
allow servers to respond with absolutely nothing useful to them.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list