On 08/04/2020 15:16, Éric Vyncke via Datatracker wrote:
> > Also, if the firewall is "protecting" the DNS server (cough cough), then as a > security officer I would prefer to block all unknown opcodes/types at the > firewall (possibly with a reply). > See §4. "with a reply" is fine, so long as that reply is consistent with what the real server behind the firewall would have answered (including any DNSSEC records asserting the non-existence of those types). Dropping the queries on the floor with no reply is precisely what the document seeks to prohibit, though. It can cause an otherwise functional server to be tagged by clients as non-responsive. Ray _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
