See RFC 6604. Donald
from iPhone On Wed, Apr 5, 2017 at 09:34 Edward Lewis <edward.le...@icann.org> wrote: > On 4/5/17, 01:43, "DNSOP on behalf of Mukund Sivaraman" < > dnsop-boun...@ietf.org on behalf of m...@isc.org> wrote: > > >It seems BIND currently returns NXDOMAIN in this case, and the change in > >behavior between looking-into-other-zones and > >not-looking-into-other-zones in the nameserver algorithm caused a system > >test failure, hence the question. > > I don't think there is one right answer. There may be a more efficient > answer (in terms of some metric). The goal of the RFCs was > interoperability, keep that in mind. > > You allude above to an implementation changing its behavior (answering > from all available data vs. sticking to one zone). This is not something > that is explicitly dealt with in the original RFCs, perhaps in later ones. > Both choices have merit, have downsides, still the two are interoperable. > As far as the protocol matters, either is a valid choice, and one that > influences whether the query in question results in NOERROR/CNAME chain or > NXDOMAIN. > > In this case, I think you don't need to worry about the querier. Rules > seem to be explicit about caching responses here. > > If anything, make sure your test script is accurate. (Back in the day of > DNSSEC protocol/code development, 1 out of 3 times DNSSEC had a protocol > bug, 1 out of 3 times it was a software bug, and 1 out of 3 times > everything was right but the tester - me - was expecting the wrong result.) > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Sent from Gmail Mobile
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
