How common is it for authoritative DNS servers to not respond to queries for zones they are not authoritative for (instead of returning REFUSED)?
When Route 53 launched, we blackholed queries like this and didn't respond. The reason was intentional: if there were ever a disastrous misconfiguration that meant the servers were "missing" zones that they should have, we wanted to avoid poisoning resolvers.
-
-
We changed behavior because of one TLD: .is, whose operators pre-check nameservers for .is domains, and if they don't return something, or REFUSED, you can't delegate to them. So this makes it uncommon in practice.
-
I wish .is would change practices, if they haven't since. Blackholing is still safer IMO.
- 1 more reply
New conversation -
-
-
Interesting! Thanks a lot, Colm!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.