NXDOMAIN status, with answers?
Anthony Lieuallen
alieuall at google.com
Mon Feb 8 14:00:49 UTC 2021
An interesting corner case has recently been brought to our attention, and
I'm hoping for some additional viewpoints to help me understand how best to
handle it.
An operator reported problems with our recursive resolver, after recently
enabling DNSSEC. The cause seems to be that the authoritative server is
returning an answer (a CNAME, in case it matters) but with NXDOMAIN
status. When we see NXDOMAIN we abort our recursive resolving behavior.
Later we get to the DNSSEC validation phase, but because we stopped at the
NXDOMAIN we never got the DNSKEYs for the zone, and we thus fail to
validate, and return SERVFAIL.
Other resolvers seem to be handling this domain successfully, so I'm
wondering:
* Is this (NXDOMAIN status, but CNAME and RRSIG in the answer) valid, per
the spec?
* Either way, how should a recursive handle such an authoritative response?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210208/59098c1c/attachment.html>
More information about the dns-operations
mailing list