[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

Matthew Richardson matthew-l at itconsult.co.uk
Mon Apr 6 10:31:21 UTC 2020


Thanks - I had also missed the subtelty that monitor.itconsult.net shared
servers with itconsult.net.

For testing, I have setup testmon.itconsult.net which is delegated in the
same way (ie insecure) as mtgmon.itconsult.net.  However, I get the same
results, namely NOERROR for mtgmon and NXDOMAIN for testmon:-

>; <<>> DiG 9.11.13 <<>> +norec +noadditional @dns3.mtgsy.com doesnotexist.mtgmon.itconsult.net
>; (2 servers found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38925
>;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>;; QUESTION SECTION:
>;doesnotexist.mtgmon.itconsult.net. IN  A
>
>;; AUTHORITY SECTION:
>mtgmon.itconsult.net.   86400   IN      SOA     dns0.mtgsy.com. hostmaster.mtgmon.itconsult.net. 2016072809 3600 1200 1209600 3600
>
>;; Query time: 102 msec
>;; SERVER: 162.243.59.139#53(162.243.59.139)
>;; WHEN: Mon Apr 06 11:23:01 BST 2020
>;; MSG SIZE  rcvd: 143

and:-

>; <<>> DiG 9.11.13 <<>> +norec +noadditional @dt01.itconsult.net doesnotexist.testmon.itconsult.net
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53268
>;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>; COOKIE: aaca28581cfb0aee52c39f995e8b033847b494952922316b (good)
>;; QUESTION SECTION:
>;doesnotexist.testmon.itconsult.net. IN A
>
>;; AUTHORITY SECTION:
>testmon.itconsult.net.  43200   IN      SOA     dt01.itconsult.net. hostmaster.itconsult.net. 1 7200 900 1814400 43200
>
>;; Query time: 1 msec
>;; SERVER: 193.201.42.33#53(193.201.42.33)
>;; WHEN: Mon Apr 06 11:23:53 BST 2020
>;; MSG SIZE  rcvd: 143

This confirms that the difference in behaviour is not due to the sharing of
DNS servers.

Best wishes,
Matthew

 ------
>From: Shumon Huque <shuque at gmail.com>
>To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
>Cc: DNS Operations List <dns-operations at dns-oarc.net>
>Date: Fri, 3 Apr 2020 09:06:20 -0400
>Subject: Re: [dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

>On Fri, Apr 3, 2020 at 8:20 AM Stephane Bortzmeyer <bortzmeyer at nic.fr>
>wrote:
>
>> On Fri, Apr 03, 2020 at 07:48:16AM -0400,
>>  Shumon Huque <shuque at gmail.com> wrote
>>  a message of 98 lines which said:
>>
>> > The second one,  doesnotexist.monitor.itconsult.net., does not appear
>> to be
>> > delegated from its parent.
>>
>> This is not what I see. Both are delegated from itconsult.net
>> (source: their SOA).
>>
>
>Ah, yes. The subtlety here (which I didn't notice at first) is that
>monitor.itconsult.net is served by the same name servers as its parent.
>Since most authority servers answer from their closest enclosing zone, most
>iterative debugging tools like dig+trace etc won't see the delegation.
>
>Shumon.



More information about the dns-operations mailing list