[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Paul Vixie paul at redbarn.org
Tue Mar 2 23:31:06 UTC 2021

> > On Mar 2, 2021, at 2:30 PM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> > 
> > The earlier thread deemed both variants legitimate, in which case there
> > is nothing to do. My reading of the current text is that the delegation
> > response is the right one; and, as stated, my preference if we change
> > anything is to, now worded better, make these queries pointless and
> > allow servers to respond with absolutely nothing useful to them.

that seems reasonable, so long as it's limited to the behaviour of authority
servers who might answer or who might refer.

On Tue, Mar 02, 2021 at 04:57:30PM -0200, Viktor Dukhovni wrote:
> My suggestion is:
> ...
>   * Finally, only since it was mentioned in the relevant text of 403[45],
>     respond naturally to DNSKEY, that's a perfectly ordinary RRSet.

i don't think we should give up on dnssec-aware apps, or on validating stubs.
there was discussion of making the dnssec types meta-only (authority or
additional) back in the day. that road was deliberately unchosen.

Paul Vixie

More information about the dns-operations mailing list