[dns-operations] (co.)bw DNSSEC failure

Peter van Dijk peter.van.dijk at powerdns.com
Tue Sep 20 21:05:30 UTC 2016

Hi Warren,

On 20 Sep 2016, at 20:29, Warren Kumari wrote:

> So, that explains *this* case, but we often seem to see other *weird*
> issues... I'm trying to find the example (I have it squirreled away
> somewhere), but one of my favorites was getting back NXDOMAIN
> responses along with a full (complete and correct) answer. I never
> figured out what I should do with that - do I use the answer or not?

Hard to say without seeing it. I have seen a lot of this (typed from 

$ dig a www.example.com
; .. .. ..
; status: NXDOMAIN

www.example.com.   600  IN CNAME  www.example.org.

example.org. .. IN SOA ..

In this case, the auth thinks it is also authoritative for example.org 
and thus is able to return NXDOMAIN from there. NXDOMAIN applies to the 
QNAME -as defined by 2308- so given the misconfiguration of this auth, 
this is the right response. As a client, you use the CNAME, ignore the 
NXDOMAIN (as it’s out of bailiwick) and chase www.example.org 

Most misconfigurations of this type involve accidentally hosted root 
zones, btw.

> Another good one was querying for a AAAA only got me back a TXT record
> containing the string: "[TODO - FIXME!!!]".

Hah. Still better than NXDOMAIN or a lame response..

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list