[dns-operations] Another possible .gov validation problem?
Cricket Liu
cricket at nxdomain.com
Sun Feb 13 03:43:13 UTC 2011
Thanks for the reply, Mark. I should have thought to check the NSEC RR.
On Feb 12, 2011, at 12:36 AM, Mark Andrews wrote:
> In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, Cricket Liu wri
> tes:
>> Note the absence of a DS RR.
>>
>> However, an explicit query for a DS RR returns something surprising:
>>
>> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
>>
>> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;pds.nasa.gov. IN DS
>>
>> Note the NXDOMAIN RCODE.
Is the NXDOMAIN RCODE for the DS query normal? I don't get NXDOMAIN looking up (for example) DS RRs for infoblox.net in net; I get NOERROR. Of course, the net name servers run ATLAS and the nasa.gov name servers almost certainly don't.
cricket
More information about the dns-operations
mailing list