[dns-operations] NXDOMAIN and negative caching

Dave Warren davew at hireahit.com
Tue Feb 2 04:03:34 UTC 2016

On 2016-02-01 16:39, Mark Andrews wrote:
> When load balancers only handled A records, AAAA records got NXDOMAIN
> resposes and the following advisary was issued:
> 	https://www.kb.cert.org/vuls/id/714121
> Twelve years later we are still seeing these issues.  The load
> balancer should be able to catch these errors.  It's only a matter
> of querying the backing nameserver for the records it is configured
> to answer for and confirming that you get a appropriate RRset
> returned.

It also strikes me as weird that load balancers end up with a NXDOMAIN, 
wouldn't a more sane default configuration be to use NODATA for queries 
within a known zone, if it's known that a load balancer may not know 
about all records?

At least to me, it seems that if one can't be bothered to develop a 
correct implementation, it would be less harmful to return NODATA when 
the reality is NXDOMAIN, while it's obviously harmful to return NXDOMAIN 
when the reality is NODATA.

Dave Warren

More information about the dns-operations mailing list