BIND9's NXDOMAIN vs NOERROR/NODATA

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Dec 13 01:30:36 UTC 2002


> At 17:08 2002-12-12, Mark_Andrews at isc.org wrote:
> 
> >         Well I still think there is DNSSEC is wrong on this and the
> >         rcode should be NOERROR.  We should use DS as a opportunity to
> >         fix this.
> 
> Not needed we are in the process of re documenting DNSSEC and
> this should be covered there. I have forwarded this thread to the
> editors to figure out if this is a simple clarify or requires
> action. Feel free to bring this issue up on namedroppers and
> if we have a clear consensus that Bind-9 is wrong then DNSSEC-bis
> can reflect that.

	I was meaning that any change in code should be rolled out
	along with the DS rollout.  I didn't mean that this should be
	part of the DS spec.

> >         It is possible by looking at the NXT record alone to determine
> >         if the query name is actually for a empty node.
> 
> Exactly, the non terminal node exists in the sense it terminates a wild
> card but as there is no data a the node no NXT is needed for it.

	Given these two nodes that are adjacent when the zone is sorted
	in DNSSEC (flat) order:
	a.foo.example.net
	xx.bb.cc.foo.example.net

	Queries against:
	bb.cc.foo.example.net would return NOERROR
	aa.cc.foo.example.net would return NXDOMAIN
	
	In both cases the NXT record would be:
	a.foo.example.net NXT xx.bb.cc.foo.example.net ...

	bb.cc.foo.example.net NXDOMAIN is a error
	aa.cc.foo.example.net NOERROR is a error

	Mark

>          Olafur
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-workers mailing list