BIND9's NXDOMAIN vs NOERROR/NODATA
andris at hpl.hp.com
Fri Dec 13 03:42:35 UTC 2002
> At 17:08 2002-12-12, Mark_Andrews at isc.org wrote:
> > Well I still think there is DNSSEC is wrong on this and the
> > rcode should be NOERROR. We should use DS as a opportunity to
> > fix this.
> Not needed we are in the process of re documenting DNSSEC and
> this should be covered there. I have forwarded this thread to the
> editors to figure out if this is a simple clarify or requires
> action. Feel free to bring this issue up on namedroppers and
> if we have a clear consensus that Bind-9 is wrong then DNSSEC-bis
> can reflect that.
If the consensus is that a simple clarify is sufficient for dealing
with this rcode anomaly with signed data (with the NXT record available
to clear up ambiguities), do the BIND developers still need a protocol
agreement in order to have BIND9 give the correct response for unsigned
data for which no NXT record is available? If NXDOMAIN is deemed to be
the correct rcode for an empty node, then one possible way to deal with
this problem for unsigned data is to synthesize the NXT record if asked
since even unsigned data (if I understand correctly) is stored in DNSSEC
order. I prefer fixing the rcode to its historic meaning, though.
> > It is possible by looking at the NXT record alone to determine
> > if the query name is actually for a empty node.
> Exactly, the non terminal node exists in the sense it terminates a wild
> card but as there is no data a the node no NXT is needed for it.
More information about the bind-workers