On Thu, Mar 12, 2015 at 11:38:04PM +0000, Darcy Kevin (FCA) wrote: > So you're thinking it's more likely that we'll get folks to understand > this new type, that's designed to frustrate QTYPE=* queries in a > more-or-less graceful way, than it is to convince them to stop making > QTYPE=* queries in the first place?
They don't need to understand it, they just need to be able to receive it without choking. This could be a pretty brilliant solution, actually: If you're authoritative for a signed zone and you receive a query of type ANY, return the applicable NSEC/NSEC3; if the zone is *not* signed, synthesize a response containing a single RR with a type from the "private use" range (e.g. TYPE65531 or whatever), zero length rdata, and a long TTL. The resolver would get an answer, so it stops asking; it would *not* cache the answer as an empty node, so subsequent queries for other qtypes can still resolve. I like this better than any of the prior suggestions. (It doesn't address qmail's problem, but that's a lost cause no matter which method is chosen.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop