BIND9's NXDOMAIN vs NOERROR/NODATA

Paul Vixie paul at vix.com
Thu Dec 12 20:16:00 UTC 2002


> If you have, say, an A RR for foo.bar.example.com but no records for
> bar.example.com and send a query for "bar.example.com" of any type,
> older BINDs will answer NOERROR, empty answer section ("NODATA").
> BIND 9 will return "NXDOMAIN". From the first one can deduce the
> existence of something below "bar.example.com", while the second is
> really misleading.

i agree.

> This must have been discussed before, but all I found was a rather old
> quote from Paul Vixie stating:
> 
> >> NXDOMAIN's scope is the {name,type}.  RFC 2308 implicitly outlawed BIND's
> >> behaviour, which is to return NOERROR/ANCOUNT=0 for empty nonterminals.

note that i was wrong.  NXDOMAIN's scope is {name}, and is type-independent.

> I did not yet manage to read this into RFC 2308 (section2, I guess)
> and being "implicit" it would be in contradiction to section 4.3.2 of
> RFC 1034. How can "bar.example.com" not exist if "foo.bar.example.com"
> does and obviously is below "bar.example.com" in the DNS hierarchy?
> This is not consistent.

that's true, and in the case of inconsistency there is no right answer, and
in this case the latter document (RFC2308) was allowed to win.

> Could someone please agree with me or shed some light upon this? Thanks!

i still think NOERROR/ANCOUNT=0 is the right answer.


More information about the bind-workers mailing list