[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

Matthew Richardson matthew-l at itconsult.co.uk
Fri Apr 3 11:31:38 UTC 2020 

I am observing responses from particular authoratitive servers for
non-existant domains, which is puzzling me.  I thought I understood this
topic, but am now having doubts...

Consider two (real) non-existant records (which are not empty non-terminals
- there is nothing below them):-

	doesnotexist.mtgmon.itconsult.net
	doesnotexist.monitor.itconsult.net

where mtgmon.itconsult.net & monitor.itconsult.net are delegated to
different authoratitives.

Querying each against the authoratitives returns NOERROR with "ANSWER: 0"
for the first one and NXDOMAIN for the second, behaviour which is
consistent across all the authoratitives:-

>; <<>> DiG 9.11.13 <<>> +norec +noadditional @dns3.mtgsy.com doesnotexist.mtgmon.itconsult.net
>; (2 servers found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19211
>;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>;; QUESTION SECTION:
>;doesnotexist.mtgmon.itconsult.net. IN  A
>
>;; AUTHORITY SECTION:
>mtgmon.itconsult.net.   86400   IN      SOA     dns0.mtgsy.com. hostmaster.mtgmon.itconsult.net. 2016072809 3600 1200 1209600 3600
>
>;; Query time: 116 msec
>;; SERVER: 66.228.62.33#53(66.228.62.33)
>;; WHEN: Fri Apr 03 12:19:35 BST 2020
>;; MSG SIZE  rcvd: 143

and:-

>; <<>> DiG 9.11.13 <<>> +norec +noadditional @c.itconsult-dns.je doesnotexist.monitor.itconsult.net
>; (2 servers found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24100
>;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>; COOKIE: 9c5d1336b65682124007962c5e871bf967c716afd443a7df (good)
>;; QUESTION SECTION:
>;doesnotexist.monitor.itconsult.net. IN A
>
>;; AUTHORITY SECTION:
>monitor.itconsult.net.  43200   IN      SOA     a.itconsult-dns.net. hostmaster.itconsult.net. 67 7200 900 1814400 43200
>
>;; Query time: 160 msec
>;; SERVER: 108.61.207.208#53(108.61.207.208)
>;; WHEN: Fri Apr 03 12:20:25 BST 2020
>;; MSG SIZE  rcvd: 154

I had thought that the first behaviour returning NOERROR without answer for
doesnotexist.mtgmon.itconsult.net is incorrect, but would value the opinion
of those more learned than myself.

Also, if the behaviour were to be incorrect, what practical problems might
it cause?

With many thanks.

Best wishes,
Matthew

More information about the dns-operations mailing list