[dns-operations] Authoritative name server replies NODATA for a non-existing domain
Casey Deccio
casey at deccio.net
Wed Apr 22 17:36:38 UTC 2015
On Wed, Apr 22, 2015 at 9:12 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:
> Strange behavior:
>
> % for ns in $(dig +nodnssec +short NS adult.); do
> echo $ns
> dig @$ns NS thisdomaincertainlydoesnotexist.adult |& grep status:
> done
> d0.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13433
> c0.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23111
> a0.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3358
> a2.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48334
> b2.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29932
> b0.nic.adult.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58405
>
> IMHO, all the name servers should reply NXDOMAIN, no?
>
> DNSviz does complain:
>
>
> http://dnsviz.net/d/adult/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&ta=dlv.isc.org.&tk=
>
FWIW, DNSViz was complaining, but due to a bug (in DNSViz) it wasn't clear
what it was complaining about. In this case the was that it was a NODATA
response but there was no NSEC3 record matching the QNAME in the response.
It has now been fixed.
http://dnsviz.net/d/adult/VTe7yw/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&ta=dlv.isc.org.&tk=
The proof in the response indicated NXDOMAIN, but the response code didn't
match.
Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150422/f1fecb8f/attachment.html>
More information about the dns-operations
mailing list