auth-nxdomain yes

Mark Andrews marka at
Sun Nov 15 23:57:56 UTC 2015

In message < at>, Gor
don Freeman writes:
> option: auth-nxdomain
> I see the default for this is no, but what exactly are the ramifications
> of setting this to yes?

RFC 1034 or RFC 1035 stated that NXDOMAIN will always be authoritative
(can't remember which).  Setting this to yes allows clients that
look for the "aa" bit on NXDOMAIN to accept the answer.  Modern
nameservers set the "aa" bit to reflect if this a authoritative
answer (aa=1) or a cached answer (aa=0).  This really hasn't been
a issues in decades.

> I have a tiered architecture for name servers, where down-level servers
> do forwarding for unknown domains.  Will setting auth-nxdomain to yes
> prevent continual forwarding of queries of non-existent domain names?  
> I'm hoping the answer is yes, so that once an NXDOMAIN response is
> received by the name server, it will not forward repeated queries for
> that same name, at least for as long as the negative cache TTL.  Thanks.

Named does that by default.  Not all authoritative sources however
provide a cachable negative answer.

> _______________________________________________
> Please visit to unsubscribe
>  from this list
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list