[dns-operations] Authoritative name server replies NODATA for a non-existing domain

Mark Andrews marka at isc.org
Thu Apr 23 22:17:25 UTC 2015

In message <D15E7BB0.B14F%edward.lewis at icann.org>, Edward Lewis writes:
> On 4/23/15, 2:45, "Micha=C5=82 K=C4=99pie=C5=84" <michal.kepien at nask.pl> wrote:
> >> Yes, its due to bug:
> >>=20
> >> 	=E2=80=A2 Fix RCODE when secondary NSD got transfer that includes deleted
> >>wildcard record. After deletion, NSD would serve NODATA, should be
> >>NXDOMAIN (thanks Michal Kepien).
> >
> >This is fun - I never expected this bug to be publicly noticed for a
> >TLD.
> Bugs happen.  In past work I've done, I've seen some very detailed ones
> that even the TLD operator wasn't aware was happening.  (Even "big time"
> operators, in the class of I could call one of their engineers and they
> got it right away.)  By bugs, I include unexpected yet sometimes still
> very protocol-valid results.
> This is an artifact of using off-the-shelf components (open source or not)
> which have so many features/etc. that testing every nook-and-cranny is
> impractical.  (Risk management ... don't waste resources testing things
> that won't matter.)  The issue seen on this thread shows code diversity
> (and why some want it), so good.

Then some resolver uses a feature of the protocol and things go to
hell is a handbasket real fast.

http://users.isc.org/~marka/summary.html show the results of not
testing "unused" features of the protocol.  Some of these "unused"
features are now "in use" [1] and lookups are FAILING because vendors
failed to test before shipping.  EVERYONE on this list should test
their nameservers for compliance and fix the broken ones.

If your are a vendor of a broken server please isssue a CVE for the
broken versions as they can cause a denial of service.  This will
"allow" OS vendors to install fixes.

TLD operators I encourage you to audit all the delegated servers
for EDNS compliance in the handling of unknown EDNS options, unknown
EDNS version and unknown EDNS flags and then to inform the owners
of the servers that they need to fix them.

If a TLD/SLD operator wants a copy of the scripts used to generate
these graphs let me know.  They will require tweaking.

[1] https://lists.isc.org/pipermail/bind-users/2015-April/095018.html.


> When bugs pop up I usually contact the operator off-list partly to confirm
> that it is a bug and sometimes learn the make and model of what they are
> running.  Usually the operator takes care of contacting the tool maker, if
> not, I do.  Usually we work that out based on convenience.
> Mind you - I not all bugs are "serious" as in operations impacting.  In
> this case, the name in question doesn't 'exist' so any access to it
> (WWW/SSH/FTP) is doomed anyway.  Whether it's NXDOMAIN or NODATA, there's
> no AAAA or A record to be had.  Yes, you'll trip up DNSVIZ and get your
> name in the permanent record.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list