BIND9's NXDOMAIN vs NOERROR/NODATA
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Dec 13 01:30:36 UTC 2002
> At 17:08 2002-12-12, Mark_Andrews at isc.org wrote:
>
> > Well I still think there is DNSSEC is wrong on this and the
> > rcode should be NOERROR. We should use DS as a opportunity to
> > fix this.
>
> Not needed we are in the process of re documenting DNSSEC and
> this should be covered there. I have forwarded this thread to the
> editors to figure out if this is a simple clarify or requires
> action. Feel free to bring this issue up on namedroppers and
> if we have a clear consensus that Bind-9 is wrong then DNSSEC-bis
> can reflect that.
I was meaning that any change in code should be rolled out
along with the DS rollout. I didn't mean that this should be
part of the DS spec.
> > It is possible by looking at the NXT record alone to determine
> > if the query name is actually for a empty node.
>
> Exactly, the non terminal node exists in the sense it terminates a wild
> card but as there is no data a the node no NXT is needed for it.
Given these two nodes that are adjacent when the zone is sorted
in DNSSEC (flat) order:
a.foo.example.net
xx.bb.cc.foo.example.net
Queries against:
bb.cc.foo.example.net would return NOERROR
aa.cc.foo.example.net would return NXDOMAIN
In both cases the NXT record would be:
a.foo.example.net NXT xx.bb.cc.foo.example.net ...
bb.cc.foo.example.net NXDOMAIN is a error
aa.cc.foo.example.net NOERROR is a error
Mark
> Olafur
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-workers
mailing list