[dns-operations] Input from dns-operations on NCAP proposal

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Tue May 24 15:54:43 UTC 2022


On 23/05/2022 15.48, Thomas, Matthew via dns-operations wrote:
>
> Configuration 1: Generate a synthetic NXDOMAIN response to all queries 
> with no SOA provided in the authority section.
>
I believe the protocol says not to cache such answers at all. Some 
implementations chose to cache at least a few seconds, but I don't think 
all of them.  Breaking caching seems risky to me, as traffic could 
increase very much (if the TLD was queried a lot).


> Configuration 2: Generate a synthetic NXDOMAIN response to all queries 
> with a SOA record.  Some example queries for the TLD .foo are below:
>
It still feels a bit risky to answer in this non-conforming way, and I 
can't really see why attempt that.  At apex the NXDOMAIN would deny the 
SOA included in the very same answer...


> Configuration 3: Use a properly configured empty zone with correct NS 
> and SOA records. Queries for the single label TLD would return a 
> NOERROR and NODATA response.
>
I expect that's OK, especially if it's a TLD that's seriously 
considered.  I'd hope that "bad" usage is mainly sensitive to existence 
of records of other types like A.


--Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220524/b455964e/attachment.html>


More information about the dns-operations mailing list