Mark Andrews wrote on 2022-11-11 02:26:
...
4. Caching DNS Servers: Caching servers MUST [or SHOULD] NOT
attempt to resolve .alt names in the global DNS root. They
MAY respond to queries for such names with NXDOMAIN [or
REFUSED?].
Caching servers MUST NOT intercept DO=1 queries as the client
will not be able to validate such responses. The caching
recursive server MAY synthesise a provable NXDOMAIN response as
per RFC 8198. Caching servers SHOULD perform QNAME minimisation
as per RFC 7816 for the .alt namespace by default. Querying for
alt/DS or alt/NS will achieve this without leaking the query type.
i'm comfortable with either. a query for anything.ALT appearing on any
wire is a sign of misconfiguration. dropping it, answering insecurely,
answering servfail, or letting qname minimization from the root zone
happen and sending secure nxdomain, are all in-scope here. as long as we
are protecting the root zone from .ALT query storms, we're good. no
other predictable or reliable response should be specified. makers and
operators who allow .ALT queries to appear on the wire should learn fear
and should live in fear. being liberal in how we receive those queries
is in absolutely nobody's best interests.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop