[dns-operations] (co.)bw DNSSEC failure
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Sep 20 21:05:30 UTC 2016
Hi Warren,
On 20 Sep 2016, at 20:29, Warren Kumari wrote:
> So, that explains *this* case, but we often seem to see other *weird*
> issues... I'm trying to find the example (I have it squirreled away
> somewhere), but one of my favorites was getting back NXDOMAIN
> responses along with a full (complete and correct) answer. I never
> figured out what I should do with that - do I use the answer or not?
Hard to say without seeing it. I have seen a lot of this (typed from
memory):
$ dig a www.example.com
; .. .. ..
; status: NXDOMAIN
;; ANSWER SECTION:
www.example.com. 600 IN CNAME www.example.org.
;; AUTHORITY SECTION
example.org. .. IN SOA ..
In this case, the auth thinks it is also authoritative for example.org
and thus is able to return NXDOMAIN from there. NXDOMAIN applies to the
QNAME -as defined by 2308- so given the misconfiguration of this auth,
this is the right response. As a client, you use the CNAME, ignore the
NXDOMAIN (as it’s out of bailiwick) and chase www.example.org
yourself.
Most misconfigurations of this type involve accidentally hosted root
zones, btw.
> Another good one was querying for a AAAA only got me back a TXT record
> containing the string: "[TODO - FIXME!!!]".
Hah. Still better than NXDOMAIN or a lame response..
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list