[Pdns-users] Re: Verify PowerDNS answers?

Alex van den Bogaerdt alex at ergens.op.het.net
Fri Oct 6 15:21:08 UTC 2006

On Fri, Oct 06, 2006 at 03:41:42PM +0200, bert hubert wrote:

> Warning about NXDOMAIN: It is clear from RFC 1034 and RFC 1035 that an
> NXDOMAIN guarantees the nonexistence of every subdomain of the query domain.
> For example, if a cache sees an NXDOMAIN for ns.heaven.af.mil, it can
> conclude that a.ns.heaven.af.mil and b.ns.heaven.af.mil don't exist. If a
> server has records for a.ns.heaven.af.mil and b.ns.heaven.af.mil, but no
> records for ns.heaven.af.mil. it sends a zero-records (#5) response, not an
> NXDOMAIN. However, RFC 2308 allows NXDOMAIN even when the domain exists, to
> indicate that there are no records of any type under the query name. So it
> is essential for interoperability that caches not draw the above conclusion.

After reading RFC2308 a couple of times, I think the situation described is:

-a- the original QNAME has a CNAME RR attached
-b- the end of the CNAME chain points to a domain that does not exist

Note: -b- is a non-existing domain, not a domain without any RRs.

RFC 1034 does say this in 4.3.1:
If recursive service is requested and available, the recursive response
to a query will be one of the following:
- A name error indicating that the name does not exist.  This
  may include CNAME RRs that indicate that the original query
  name was an alias for a name which does not exist.
Again: "... name which does not exist.", not "empty RR set".

- answer NXDOMAIN but with CNAME RR means: the domain does exist,
  but the one it is pointing to does not.
- answer NXDOMAIN without CNAME RR means: the domain does not exist.

Resource records are not important, except the CNAME RR in a chain
to be followed.

In other words:

NXDOMAIN really means a domain did not exist.  The only thing that
caches need to be aware of, is that it may not be the original QNAME
that does not exist.

your thoughts?

More information about the Pdns-users mailing list