[dns-operations] Any dreamhost DNS admins?

Tony Finch dot at dotat.at
Wed Feb 20 12:19:06 UTC 2019 

Doug Barton <dougb at dougbarton.email> wrote:
>
> My understanding of NXDOMAIN has always been that it means "I have
> nothing at that label." Am I missing something there? If I'm right, how
> does that status reconcile with an ANCOUNT > 0?

It comes from the algorithm in section 4.3.2 of RFC 1034.

[snip]

   3. Start matching down, label by label, in the zone.  The
      matching process can terminate several ways:

         a. If the whole of QNAME is matched, we have found the
            node.

            If the data at the node is a CNAME, and QTYPE doesn't
            match CNAME, copy the CNAME RR into the answer section
            of the response, change QNAME to the canonical name in
            the CNAME RR, and go back to step 1.

[snip]

         c. If at some label, a match is impossible (i.e., the
            corresponding label does not exist), look to see if a
            the "*" label exists.

            If the "*" label does not exist, check whether the name
            we are looking for is the original QNAME in the query
            or a name we have followed due to a CNAME.  If the name
            is original, set an authoritative name error in the
            response and exit.  Otherwise just exit.

Curiously, this says that an in-zone CNAME should not provoke an NXDOMAIN.

In actual implementations, the RCODE refers to the *end* of the
CNAME chain that appears in the answer, tho I can't find the right RFC
that says so.

RFC 1035 also says NXDOMAIN is only meaningful in authoritative responses,
which also seems to be ignored in practice.

Things get weird when there's a cache or RA involved, and authoritative
servers have differed on how strongly they wall off zones from each other.
I have somehow managed to get my server to answer differently on localhost
and on its public interface and I'm not sure how (the relevant acl is
supposed to include both addresses...)

; <<>> DiG 9.13.6 <<>> +norec outofzone.dotat.at @::1
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48267
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

; <<>> DiG 9.13.6 <<>> +norec outofzone.dotat.at @131.111.57.57
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43198
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Thames, Dover: Southwest 5 or 6. Slight or moderate. Occasional rain later.
Moderate or good.

More information about the dns-operations mailing list