[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Florian Weimer fw at deneb.enyo.de
Tue Mar 2 19:41:59 UTC 2021

* Viktor Dukhovni:

>   * For RRSIG and NSEC3, authoritative servers MAY respond with REFUSED, or,
>     for RRSIG, assuming the qname exists, MAY return either a synthetic answer
>     of their choice or some non-empty subset of the actual RRSIG records.  For
>     synthetic replies, a zero TTL answer with an arbitrary well-formed payload
>     will do, there's no way to validate it and no point in caching it.

Typical iterative resolvers retry a different authoritative server on
REFUSED, so changing authoritative server behavior in this way before
iterative resolvers filter such queries is probably not a good idea.

More information about the dns-operations mailing list