[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 2 20:06:18 UTC 2021



> On Mar 2, 2021, at 5:41 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> 
> Typical iterative resolvers retry a different authoritative server on
> REFUSED, so changing authoritative server behavior in this way before
> iterative resolvers filter such queries is probably not a good idea.

Yes, this is why I'd recommend the synthetic answer, at least initially.
If some day enough of the legitimate resolvers stop forwarding such
queries, just refusing them would become more attractive.

-- 
	Viktor.




More information about the dns-operations mailing list