[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

Ángel operations at dns.16bits.net
Tue Apr 7 02:50:39 UTC 2020

On 2020-04-06 at 12:19 -0400, Dave Lawrence wrote:
> Matthew Richardson writes:
> > However, is this going to cause any practical problems?
> Even outside DNSSEC, where it absolutely would be a problem, there are
> some context for specialty applications where the difference between
> the two types of negative answers is meaningful.  The examples I can
> think of off the top of my head are proprietary, but the general idea
> should hold: if two things have semantically different meanings,
> people somewhere are making use of the distinction.

I have seen the opposite problem than the op, servers returning NXDOMAIN
when there are actually child records, and they should have returned
NODATA, such as querying _domainkeys.
Returning NODATA instead of NXDOMAIN would seem mostly to be an
inefficiency, but section 4 of rfc 8020 documents how returning NXDOMAIN
can mitigate some random QNAME attacks.

1- https://tools.ietf.org/html/rfc8020#section-4

More information about the dns-operations mailing list