[dns-operations] NXDOMAIN status, with answers?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 8 17:20:57 UTC 2021

On Mon, Feb 08, 2021 at 10:56:20AM -0500, Anthony Lieuallen via dns-operations wrote:

> The server that made me start this thread serves NXDOMAIN for both the
> name it is (and has a CNAME) and is not (where the CNAME
> points) authoritative for.

Some servers are both authoritative and recursive, and may "know" (via
their cache) that the target does not exist.  My understanding is that
absent an "rd" flag in the incoming query, they must keep such knowledge
to themselves, and not pollute the answer with an NXDOMAIN for which
they are not authoritative.

[ Just a sanity check, I expect you did not set the "rd" bit in the request
  sent to that server. ]

If the CNAME exists, and the target is not in bailiwick, or the target
is in a delegated subdomain, it must return NOERROR, not NXDOMAIN.
If the target is in bailiwick and not delegated (or the server is also
authoritative for the delegated subdomain), then it may return NXDOMAIN.

If the "DO" bit is set in the request and the target zone is signed,
then any NXDOMAIN response must provide the associated denial of
existence RRs (SOA, NSEC/NSEC3 and RRSIG records).

Are you willing to share the name of the domain in question?  Did
you check DNSViz?


More information about the dns-operations mailing list