[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Peter van Dijk peter.van.dijk at powerdns.com
Tue Mar 2 20:46:58 UTC 2021


On Tue, 2021-03-02 at 18:06 -0200, Viktor Dukhovni wrote:
> > On Mar 2, 2021, at 5:41 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> > 
> > Typical iterative resolvers retry a different authoritative server on
> > REFUSED, so changing authoritative server behavior in this way before
> > iterative resolvers filter such queries is probably not a good idea.
> 
> Yes, this is why I'd recommend the synthetic answer, at least initially.
> If some day enough of the legitimate resolvers stop forwarding such
> queries, just refusing them would become more attractive.

Compared to REFUSED, the synthetic RRSIG has the benefit of not causing
a retry towards another auth (as Florian said); why not go another step
then and make it cacheable? You say 'no point in caching', I agree, but
then how about going another step and saying 'no point in a resolver
repeating this question on behalf of a client every second' - so put a
juicy TTL on it.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/



More information about the dns-operations mailing list