Fallback mechanism for qname minimization failures
Description
This week I have observed a case of broken qname minimization affecting an important Spanish ISP. Their authoritative servers violated protocol by ignoring queries for non existant QNAMES.
The synthesized _. queries would time out and the recursive server has no fallback mechanism for this particular case.
Turns out, after contacting them and explaining the issue, they had activated a DDoS protection mechanism against "water torture" attacks.
Request
It is clear that the authoritative server is vioating protocol and Bind is not to blame. However, if this protocol violation becomes popular as a DDoS protection mechanism it will spell trouble.
A possible solution would be to add a "synthesized" QNAME query timeout to the list of conditions that activate the fallback mechanism so that a non minimized query would be sent.
Although I don't know which product is involved, I guess more cases of this pathological behavior will surface. For now we have set qname-minimization to disabled.