[dns-operations] blocking recursers

Rodney Joffe rjoffe at centergate.com
Mon Mar 27 07:52:07 UTC 2006

On Mar 27, 2006, at 12:34 AM, Stephane Bortzmeyer wrote:

> On Sun, Mar 26, 2006 at 02:37:38AM +0000,
>  Paul Vixie <paul at vix.com> wrote
>  a message of 9 lines which said:
>> ask an RD=1 question about a nonexistent name in the root zone.  if
>> you get back NXDOMAIN it answered you recursively.
> As usual in the wild Internet, things are never so simple. I just ran
> a program which tests the RA bit against many nameservers (it is for
> statistical purposes, not for blacklisting, so a few mistakes are not
> important) and I noticed several nameservers which are *not* recursive
> but show it by answering NXDOMAIN for domains which do exist but are
> outside of their authority...

I don't think this conflicts with Paul's statement above. Note that  
he directs the query to be for a non-existent name in the *root*  
zone. So:

dig @$omeDNSserver stephane. a

There is no "stephane" name in the root zone currently - it is not  
one of the 264 currently valid ICANN TLDs.

What do you see when you query thus against those apparently odd  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3286 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060327/3d21aba4/attachment.bin>

More information about the dns-operations mailing list