[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
Paul Vixie
paul at redbarn.org
Tue Jul 18 19:28:36 UTC 2023
i have two comments here.
Ondřej Surý wrote on 2023-07-18 11:54:
> With my implementor’s hat on, I think this is wrong approach. It (again) adds a complexity to the resolvers and yet again based (mostly) on isolated incident. I really don’t want yet another “serve-stale” in the resolvers. I have to yet see an evidence that serve-stale has helped anything since the original incident, but now every resolver has to have it because people want it.
i think serve-stale is a protocol violation and should be described that
way in an RFC and that any implementation who chooses to provide it
should also emit a syslog() warning when it is enabled. so, yes. but,
also no, because gavin's suggestion is nothing like serve-stale. see below.
>> On 18. 7. 2023, at 20:38, Gavin McCullagh <gmccullagh at gmail.com> wrote:
>>
>> I'd like to reach out to NLNet about changing Unbound to do this, so I want to make sure people have a chance to disagree. Feel free to voice your disagreement (and reasons) here if you do.
i don't think this should be an implementation option. we should define
stale-sigs in an RFC and describe them as "like servfail or formerr",
and require in all three cases (stale sigs, servfail, formerr) that at
least one other ns.nsdname be consulted before signaling failure on the
original request.
this level of complexity is the cost of full resolving. we have to limit
the amount of work done by stubs, but we do that by migrating the work
to the recursives.
--
P Vixie
More information about the dns-operations
mailing list