[dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant records

Alexander Dupuy alexdupuy at google.com
Thu Apr 9 23:56:04 UTC 2020

Paul Vixie wrote:
> i hope CF will differentiate NODATA from NXDOMAIN in their signed DNSSEC
> responses, because the difference is absolutely vital to anyone who uses
> analytics as a defense vector.

I'd guess this is pretty unlikely, since a minimal online-generated
NXDOMAIN response would require two NSEC records (you have to prove
nonexistence of both the queried name and a matching wildcard) and their
RRSIGs, and these responses are called black lies, not white lies.

Florian Wiemer replied:

> It breaks search list processing in the stub resolver.

Thanks for pointing that out, it wouldn't have ever occurred to me, and
probably didn't occur to the Cloudflare team. However, given all the
problems that stub resolver search list processing causes for DNS
(excessive bogus queries, TLD name conflicts, etc.) that aspect of NODATA
responses seems like a fairly minor issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200409/4a6c3d20/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3856 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200409/4a6c3d20/attachment.bin>

More information about the dns-operations mailing list