[dns-operations] NXDOMAIN and negative caching
Dave Warren
davew at hireahit.com
Tue Feb 2 04:03:34 UTC 2016
On 2016-02-01 16:39, Mark Andrews wrote:
> When load balancers only handled A records, AAAA records got NXDOMAIN
> resposes and the following advisary was issued:
>
> https://www.kb.cert.org/vuls/id/714121
>
> Twelve years later we are still seeing these issues. The load
> balancer should be able to catch these errors. It's only a matter
> of querying the backing nameserver for the records it is configured
> to answer for and confirming that you get a appropriate RRset
> returned.
It also strikes me as weird that load balancers end up with a NXDOMAIN,
wouldn't a more sane default configuration be to use NODATA for queries
within a known zone, if it's known that a load balancer may not know
about all records?
At least to me, it seems that if one can't be bothered to develop a
correct implementation, it would be less harmful to return NODATA when
the reality is NXDOMAIN, while it's obviously harmful to return NXDOMAIN
when the reality is NODATA.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the dns-operations
mailing list