[dns-operations] NXDOMAIN and negative caching

[Andrew Sullivan]

Hi,

On Mon, Feb 01, 2016 at 03:21:47PM -0800, Michael Smitasin wrote:
> - An NXDOMAIN / Name Error response indicates the domain name does not
> exist, while a No Data response indicates the domain exists but no data of
> the queried type exists. (Mostly looking at RFC 1035 Section 5.2.1)
> - An NXDOMAIN should be cached for a given QNAME, QCLASS. (RFC 2038 Section
> 5)

Yes.

> - An NXDOMAIN indicates /no/ records exist for that name.

Almost.  With DNSSEC, you'll get records for that name, but they prove
its non-existence.

> - When an NXDOMAIN is cached, it will be returned for /any/ QTYPE matching
> the same QNAME, QCLASS.

Yes.
 
> We have a situation where an authoritative server (outside our control) is
> returning a good A record but when the same name is queried for an NS
> record, it returns NXDOMAIN. Once our caching nameservers get that NXDOMAIN,
> they start returning it to our client queries for the A record. If my
> understanding of the above is true, our caching nameservers are behaving
> correctly, but the authoritative server should not be returning NXDOMAIN for
> that name?

I think your understanding is correct.  This should not be Name Error
(NXDOMAIN), but No Data.

> If so, is anyone familiar with the circumstances where that would
> be the case or have recommendations I can forward on to the operators of
> that authoritative server?

I've certainly seen it before.  It's broken.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com