[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

Dave Lawrence tale at dd.org
Tue Apr 7 16:54:50 UTC 2020

Ángel writes:
> I have seen the opposite problem than the op, servers returning NXDOMAIN
> when there are actually child records, and they should have returned
> NODATA, such as querying _domainkeys.

Right, this is absolutely a problem too, with the practical
consequence that it thwarts qname minimisation (RFC 7816) and
aggressive negative caching as you called out from 8020.  To be clear:

> Returning NODATA instead of NXDOMAIN would seem mostly to be an
> inefficiency, but section 4 of rfc 8020 documents how returning NXDOMAIN
> can mitigate some random QNAME attacks.

Yes, *proper and accurate* NXDOMAIN will do that.  But if you answer
NXDOMAIN for an empty non-terminal then you risk resolvers (not only
qname-minimising ones) not being able to properly resolve subdomains
that really do exist.

More information about the dns-operations mailing list