@ondrej I mean it's OK to return REFUSED to non recursive queries. It's not OK to do otherwise. Nothing to do with hijacking.
@ruff I never said that it is not ok. You can’t rip one sentence of the whole message and start arguing.
@ondrej ok then I totlly miss the point. You cannot do DNS adblock without hijacking DNS, but yes that shouldn't be each and every request (proxying dns and breaking normal recursion) instead only for blacklisted. But if you hijack everything and pretend to be AA for everything then RD should be totally irrelevant as everything is non-recursive. Is it what you are saying that it still requires RD even when pretending being AA?
@ruff How is the even closely related to what I wrote? It’s the combination of DNS hijacking and RD-required that’s problematic.