[dns-operations] NXDOMAIN for some types and not others (Was: Too Open (Was: OpenDNS makes your Internet work better

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 11 07:13:55 UTC 2006


On Mon, Jul 10, 2006 at 02:15:45PM -0700,
 David Ulevitch <davidu at everydns.net> wrote 
 a message of 35 lines which said:

> While I prefer bugs to be sent privately 

Well, anyone can see it, so there is no reason to hide it.

[Already reported by Niels Bakker on NANOG.]

OpenDNS violates the DNS protocol here:

~ % dig A www.nic.rf

; <<>> DiG 9.2.4 <<>> A www.nic.rf
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nic.rf.                    IN      A

;; ANSWER SECTION:
www.nic.rf.             1       IN      A       208.67.219.40

;; Query time: 208 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 11 09:12:21 2006
;; MSG SIZE  rcvd: 44


~ % dig AAAA www.nic.rf 

; <<>> DiG 9.2.4 <<>> AAAA www.nic.rf
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25198
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nic.rf.                    IN      AAAA

;; Query time: 163 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 11 09:12:26 2006
;; MSG SIZE  rcvd: 28


Same thing if you use MX or any other type instead of AAAA. OpenDNS
resolver must return NOERROR with no answer if it does not want to
generate AAAA or MX records, no NXDOMAIN.



More information about the dns-operations mailing list