Authoritative servers should take NO SPECIAL BEHAVIOUR for .onion. The default behaviour of an authoritative server is fine be it REFUSED, NOTAUTH, NXDOMAIN (when they have a copy of the root zone) or a referral to the root.
Recursive servers are a different kettle of fish. Mark > On 1 Dec 2021, at 12:10, Paul Vixie <paul=40redbarn....@dmarc.ietf.org> wrote: > > > > Ted Lemon wrote on 2021-11-30 17:04: >> I don’t see how any answer from an authoritative server other than REFUSED >> really makes sense for a domain for which that server is not authoritative. >> It hasn’t failed. It’s been asked a bogus question. It doesn’t make sense >> for it to theorize that it might be misconfigured. > > i only use REFUSED if the same question from some other query source (by IP) > or signed differently (with TSIG or SIG(0)) could possibly work. for > out-of-authority requests, the server must fail to answer. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop