[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records
tale at dd.org
Tue Apr 7 16:54:50 UTC 2020
> I have seen the opposite problem than the op, servers returning NXDOMAIN
> when there are actually child records, and they should have returned
> NODATA, such as querying _domainkeys.
Right, this is absolutely a problem too, with the practical
consequence that it thwarts qname minimisation (RFC 7816) and
aggressive negative caching as you called out from 8020. To be clear:
> Returning NODATA instead of NXDOMAIN would seem mostly to be an
> inefficiency, but section 4 of rfc 8020 documents how returning NXDOMAIN
> can mitigate some random QNAME attacks.
Yes, *proper and accurate* NXDOMAIN will do that. But if you answer
NXDOMAIN for an empty non-terminal then you risk resolvers (not only
qname-minimising ones) not being able to properly resolve subdomains
that really do exist.
More information about the dns-operations