[please do not explicitly send copies of followups to me] Brad Knowles wrote/schrieb/scripsit:
Best practice? No, I would disagree most vehemently on that. If nsd is doing this, then I believe it needs to be fixed. Handing out a referral to the root zone is no more work than handing out SERVFAIL.
The ability to hand out referrals has an administrative overhead and is thus more prone to errors. The recent misconfiguration of NS.EU.NET is a good example for that. Most importantly, responding with a SERVFAIL is RFC compliant.
Now, for users of nsd, yes this is a serious problem. They are not given any choice. But then, nsd is not useful as a general-purpose authoritative nameserver -- it is designed as a root/TLD nameserver, and anyone who mis-uses or abuses it to try to serve as a general-purpose authoritative nameserver basically gets what they deserve.
Are you suggesting that different demands for conformance should be applied to root/TLD nameservers vs. others? There is btw. nothing in the announcements of and documentation for NSD to suggest that it might not be designed or fit for use as a general-purpose authoritative nameserver. -Stefan -- junior guru SP666-RIPE SMP@{IRC,SILC}