[dns-operations] Is NXDOMAIN wrong when a record of the same label but different type exists?
Patrick Mevzek
dnsoarc at ext.deepcore.org
Mon Aug 5 22:25:38 UTC 2024
On Mon, Aug 5, 2024, at 16:51, Robert L Mathews wrote
>
> Am I correct that it's wrong for an authoritative DNS server to return
> NXDOMAIN for a TXT query in the case where an A query for the same
> label would be successful? If so, why do some recursive servers cache
> that result, and others don't?
`NXDOMAIN` means the name does not exist, no matter which type.
As for the recursive, each answer (positive or negative with NXDOMAIN) has a TTL,
so that can influence the answers seen. It is also up to each recursive to decide
how strict it is or how much it is trying to please. Getting NXDOMAIN for a given type
should allow it to reply the same for any other type (on same name) for the given TTL,
which is what §5 of RFC 2038 says:
> A negative answer that resulted from a name error (NXDOMAIN)
should be cached such that it can be retrieved and returned in
response to another query for the same <QNAME, QCLASS> that
resulted in the cached negative response.
(rule broaden in RFC 8020 also to cater for other names below that QNAME)
But note it is just "should" and not even the IETF normalized "SHOULD".
So implementation and deployments might differ.
> And finally, does anyone know of a reputable-seeming public tool I can
> use to show the administrator of this zone that there's a problem?
https://dnsviz.net/d/mx.l3harris.com/dnssec/?rr=all&a=all&ds=all&doe=on&red=on&ignore_rfc8624=on&ignore_rfc9276=on&ta=.&tk=
is clearly showing the problems, just pass on all the warning signs
at the nodes on bottom, and they reference specific RFC sections.
--
Patrick Mevzek
More information about the dns-operations
mailing list