[dns-operations] Authoritative name server replies NODATA for a non-existing domain

Matthäus Wander matthaeus.wander at uni-due.de
Wed Apr 22 15:50:08 UTC 2015


* Stephane Bortzmeyer [2015-04-22 16:16]:
> On Wed, Apr 22, 2015 at 03:12:24PM +0200,
>  Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
>  a message of 30 lines which said:
> 
>> IMHO, all the name servers should reply NXDOMAIN, no?
> 
> Or could it be a "minimum response", intended to prevent zone
> enumeration?

It's not minimal, the hash range is very large (wraparound record from
D9D... to VVV... and 000... to 4DL...), covering the hashes of the query
name, wildcard name and closest encloser.
> d9dhvu2eiln97dgi23tkh43hq2uvh7uq.adult. 829 IN NSEC3 1 1 1 D399EAAB 4DLOEEUR1VQ4LQ6N7QUS62O2MAIUPGRM NS SOA RRSIG DNSKEY NSEC3PARAM

I'd expect NXDOMAIN, too. Apart from an unusual rcode, the response
looks valid. Does this qualify as a protocol violation?

Regards,
Matt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5414 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150422/b6d29864/attachment.bin>


More information about the dns-operations mailing list