[dns-operations] (co.)bw DNSSEC failure

Mark Andrews marka at isc.org
Tue Sep 20 21:57:52 UTC 2016

In message <26C14ADA-DD55-47E4-B6E9-5D3A7602393E at powerdns.com>, "Peter van Dijk
" writes:
> Hi Warren,
> On 20 Sep 2016, at 20:29, Warren Kumari wrote:
> > So, that explains *this* case, but we often seem to see other *weird*
> > issues... I'm trying to find the example (I have it squirreled away
> > somewhere), but one of my favorites was getting back NXDOMAIN
> > responses along with a full (complete and correct) answer. I never
> > figured out what I should do with that - do I use the answer or not?
> Hard to say without seeing it. I have seen a lot of this (typed from
> memory):
> $ dig a www.example.com
> ; .. .. ..
> ; status: NXDOMAIN
> www.example.com.   600  IN CNAME  www.example.org.
> example.org. .. IN SOA ..
> In this case, the auth thinks it is also authoritative for example.org
> and thus is able to return NXDOMAIN from there. NXDOMAIN applies to the
> QNAME -as defined by 2308- so given the misconfiguration of this auth,
> this is the right response. As a client, you use the CNAME, ignore the
> NXDOMAIN (as its out of bailiwick) and chase www.example.org
> yourself.

A stub client doesn't chase the CNAME as it is using the recursive
server to do so.  People do point stub resolvers at authoritative
servers that hold the entire namespace for that stub so authoritative
servers do need to follow CNAME records when present in the authoritative

With DNSSEC we don't care who gives the NXDOMAIN as long as it
validates as secure.

> Most misconfigurations of this type involve accidentally hosted root
> zones, btw.
> > Another good one was querying for a AAAA only got me back a TXT record
> > containing the string: "TODO - FIXME!!!".
> Hah. Still better than NXDOMAIN or a lame response..

But it should be reason to pull the delegation for that zone if it
is not fixed after being reported.  It is not hard to return a no
error no data response.

> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list