[dns-operations] Another possible .gov validation problem?

Cricket Liu cricket at nxdomain.com
Sun Feb 13 03:43:13 UTC 2011


Thanks for the reply, Mark.  I should have thought to check the NSEC RR.

On Feb 12, 2011, at 12:36 AM, Mark Andrews wrote:

> In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, Cricket Liu wri
> tes:
>> Note the absence of a DS RR.
>> 
>> However, an explicit query for a DS RR returns something surprising:
>> 
>> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
>> 
>> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;pds.nasa.gov.			IN	DS
>> 
>> Note the NXDOMAIN RCODE.

Is the NXDOMAIN RCODE for the DS query normal?  I don't get NXDOMAIN looking up (for example) DS RRs for infoblox.net in net; I get NOERROR.  Of course, the net name servers run ATLAS and the nasa.gov name servers almost certainly don't.

cricket




More information about the dns-operations mailing list