Sam Trenholme's webpage
Support this website



April 23 2011

Some feel that NXDOMAIN should not only mean "this host name does not exist", but also should mean "not only does this host name not exist, but any child names also do not exist" (in more detail, if returns a NXDOMAIN, some feel this means does not exist, but tinydns will return a NXDOMAIN for even if exists):
However, back in 1999, Paul Vixie said that a server must return a NXDOMAIN, even if there are child names:
From: Paul A Vixie {}
Subject: Re: sub.dom with cached NXDOMAIN dom
Date: 1999/12/08
Message-ID: {}#1/1
X-Deja-AN: 558054698
Organization: none
Mime-Version: 1.0
NNTP-Posting-Date: 8 Dec 1999 08:02:48 GMT
Newsgroups: comp.protocols.dns.std

} Here are three ways to use a recently cached NXDOMAIN IN A:
}    (1) Respond NXDOMAIN for any IN query within the domain.
}    (2) Respond NXDOMAIN for any IN query for the name
}    (3) Respond NXDOMAIN for any IN A query for the name
} RFC 2308 recommends #2. It doesn't mention #1 or #3. Is this choice
} based on some unpublished statistics on caching effectiveness? Or did
} RFC 2308 actually mean to recommend #1?

NXDOMAIN's scope is the {name,type}.  RFC 2308 implicitly outlawed BIND's
behaviour, which is to return NOERROR/ANCOUNT=0 for empty nonterminals.
After RFC 2308, empty nonterminals are signalled with NXDOMAIN.  Therefore
#1 would be incorrect.  #3, while correct, would waste information since
NXDOMAIN signals "no RRs of any type at this name".

And DJB referring to this:
There actually isn't an RFC that requires this behavior. What there is instead is a draft proposal:
Hauke Lampe pointed out that recent Unbound builds no longer expect NXDOMAIN to means "also for all domain names below" unless the remote cache supports DNSSEC:
He is referring to the changelog in Unbound's SVN trunk:

  • MaraDNS 1.0 never returned a NXDOMAIN
  • MaraDNS 1.2 returned a NXDOMAIN if a given name has no answers. Child nodes are not checked.
  • Newer versions of MaraDNS have MaraDNS 1.2's behavior.
  • This is generally a non-issue, since MaraDNS synthesizes SOA records for zones if the zone does not have a SOA record.
  • Since MaraDNS does not have DNSSEC, this should be a non-issue. Quite frankly, this behavior should be considered undefined by default, and, if the behavior is desired, there should be a EDNS0 flag requesting the behavior.

My thoughts:
  • DJB is right. This is new behavior and a lot of DNS software written before this draft RFC was made do not have this behavior.
  • Accusations of RFC non-compliance need to quote chapter and verse of the relevant RFC or are invalid.
  • Even if a future RFC codified that NXDOMAIN means "all names that are a child of this name also do not exist" (this would be a bad case of "retcon") this would be, by and large, a non-issue with MaraDNS since all zones have SOA records at the top of the zone, making it so requests for zone tops do not generate NXDOMAIN records.

Update: I have posted to the dnsext mailing list my concerns:

To post a comment about an entry, send me an email and I may or may not post your comment (with or without editing)