On Sun, Dec 13, 2015 at 11:12 PM, Shumon Huque <shu...@gmail.com> wrote:
> On Sun, Dec 13, 2015 at 4:55 PM, Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > >> On Sat, Dec 05, 2015 at 05:07:13PM -0500, >> Tim Wicinski <tjw.i...@gmail.com> wrote >> a message of 23 lines which said: >> >> > This starts a Call for Adoption for draft-bortzmeyer-dnsop-nxdomain-cut >> >> Funny, unlike what I wrote in the draft, there is at least a recursor >> with a partial support of NXDOMAIN cut (off by default): >> >> https://doc.powerdns.com/md/recursor/settings/#root-nx-trust >> >> root-nx-trust >> >> Boolean >> Default: no >> Available since: 3.7.0 >> If set, an NXDOMAIN from the root-servers will serve as a blanket >> NXDOMAIN for the entire TLD the query belonged to. The effect of this >> is far fewer queries to the root-servers. >> > I also recently discovered that Unbound also supports this (and more generally, not just for the root, but only for signed NXDOMAIN responses), via the configuration parameter "harden-below-nxdomain". from https://www.unbound.net/documentation/unbound.conf.html harden-below-nxdomain: <yes or no> From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdo- main. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. The signed negative response requirement probably indirectly addresses CDN/ENT misbehavior among others. Wonder if anyone uses this knob in production yet, and if there are experiences to report .. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
