On 19/08/2022 20.06, Paul Wouters wrote:
Security Considerations could say that .alt queries MUST NOT be forwarded to other DNS servers for resolution.
There's a dilemma with SUDNs. If a resolver isn't allowed to "send the name upstream", it might not be able to return DNSSEC-correct denial. While it's often fine to return a forged bogus answer, it's certainly not a perfect setup. For example, with validators that don't support a SUDN yet forwarding to resolvers that already supports that SUDN - generating retry loops and eventually SERVFAILs.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
