[dns-operations] ag.gov not providing NXDOMAIN responses
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Apr 11 10:15:35 UTC 2024
On Tue, Apr 09, 2024 at 01:09:20PM -0500,
David Zych <dmrz at illinois.edu> wrote
a message of 121 lines which said:
> The problem: when queried for a record underneath ag.gov. which does
> not exist, these nameservers do not return a proper NXDOMAIN
> response; instead, they don't answer at all.
Funny enough, it depends on the QTYPE.
% dig @ns2.usda.gov. nonono.ag.gov A
;; communications error to 2600:12f0:0:ac04::206#53: timed out
;; communications error to 2600:12f0:0:ac04::206#53: timed out
;; communications error to 2600:12f0:0:ac04::206#53: timed out
;; communications error to 199.141.126.206#53: timed out
; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov A
; (2 servers found)
;; global options: +cmd
;; no servers could be reached
% dig @ns2.usda.gov. nonono.ag.gov NS
; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44750
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1220
; COOKIE: 108e6a3526539745cbe04caf6617b75afc5cf42f25232e56 (good)
;; QUESTION SECTION:
;nonono.ag.gov. IN NS
;; AUTHORITY SECTION:
ag.gov. 900 IN SOA ns1.usda.gov. duty\.officer.usda.gov. (
...
> The practical trouble this causes has to do with an increasingly popular DNS privacy feature called QNAME Minimization, which depends upon authoritative DNS servers like yours responding in a standards-compliant way to queries like
>
> _.ag.gov IN A
> _.ars.ag.gov IN A
> _.tucson.ars.ag.gov IN A
More fun: the previous version of QNAME minimisation used QTYPE=NS. It
then changed to QTYPE=A precisely to work around broken
middleboxes. (And also to avoid sticking out.)
More information about the dns-operations
mailing list