Feature request - a configurable list of domains for which cached NXDOMAINs are handled as NXRRSET instead
Description
The problem is that some authoritative zone owners have defective implementations in which queries for a A record for a given name are responded to with an answer, but that AAAA or other RTYPEs (such as DNSKEY in the case of DNSSEC-validating resolvers) are responded to with NXDOMAIN.
This is clearly incorrect, per various RFCs, and can (and will) cause a denial of service to clients using resolvers that correctly implement negative response caching and/or which are DNSSEC-validating.
BIND correctly implements negative response caching, as it should, but there is no mitigating configuration available for Resolver Operators whose clients are complaining that they are able to resolve a domain via other cloud-based DNS resolver services, but not via their 'official' DNS service provider.
This is a scenario similar to the one that led BIND to introduce Negative Trust Anchors (NTAs) and later on validate-except (from 9.14)
Request
The suggestion is for it to be possible to configure a list of domains that are known to be broken in this way, and for these, to cache NXDOMAIN instead as NXRRSET.
The risk/danger is that over-enthusiastic resolver operators will configure this for ".", thus causing cache bloat.
Links / references
https://tools.ietf.org/html/rfc2308