[dns-operations] NXDOMAIN at zone apex???

Paul Vixie paul at redbarn.org
Thu May 25 15:32:44 UTC 2017

On Thursday, May 25, 2017 2:38:13 PM GMT Andrew Sullivan wrote:
> On Wed, May 24, 2017 at 08:16:06PM -0400, Viktor Dukhovni wrote:
> > I would have thought that's invalid, but unbound does not mind:
> It is invalid.  Unbound tolerates this because a few "special" vendors
> don't know the difference between No answer/no data responses and
> NXDOMAIN, so resolvers have to put up with this.  But it's wrong, yes.
> See RFC 8020.

the more we are liberal in what we accept, the more they will be 
unconservative in what they generate.

RCODE=3 AA=1 should be interpreted as "rm -rf $qname" in the existing cache, 
and the addition of a skull-and-crossbones marker to the cache at that same 


More information about the dns-operations mailing list