[dns-operations] NXDOMAIN at zone apex???

Mark Andrews marka at isc.org
Thu May 25 21:42:20 UTC 2017


Resending w/o the list of names.  Spamassassin is blocking emails
with the list of offending domains.

Mark Andrews writes:
> 
> The SOA matches the zone being looked up and it would require extra
> code to reject this broken unsigned answer for a obsure corner case.
> Once the NXDOMAIN is cached even the SOA lookup gets NXDOMAIN from
> named.  If the servers for a zone return inconstant answers depening
> on query type or any other factor it isn't the resolver's job to
> fix this.  Garbage In Garbage Out.
> 
> That said if a TLD or registrar was checking non meta QTYPE handling
> this would be a good reason to remove/reject the delegation.  NOTIMP
> and NXDOMAIN shouldn't be returned for non meta QTYPEs at the zone
> apex.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list