[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
fw at deneb.enyo.de
Tue Mar 2 19:41:59 UTC 2021
* Viktor Dukhovni:
> * For RRSIG and NSEC3, authoritative servers MAY respond with REFUSED, or,
> for RRSIG, assuming the qname exists, MAY return either a synthetic answer
> of their choice or some non-empty subset of the actual RRSIG records. For
> synthetic replies, a zero TTL answer with an arbitrary well-formed payload
> will do, there's no way to validate it and no point in caching it.
Typical iterative resolvers retry a different authoritative server on
REFUSED, so changing authoritative server behavior in this way before
iterative resolvers filter such queries is probably not a good idea.
More information about the dns-operations