On Wed, Apr 22, 2015 at 9:12 AM, Stephane Bortzmeyer <[email protected]> wrote:
> Strange behavior: > > % for ns in $(dig +nodnssec +short NS adult.); do > echo $ns > dig @$ns NS thisdomaincertainlydoesnotexist.adult |& grep status: > done > d0.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13433 > c0.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23111 > a0.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3358 > a2.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48334 > b2.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29932 > b0.nic.adult. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58405 > > IMHO, all the name servers should reply NXDOMAIN, no? > > DNSviz does complain: > > > http://dnsviz.net/d/adult/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&ta=dlv.isc.org.&tk= > FWIW, DNSViz was complaining, but due to a bug (in DNSViz) it wasn't clear what it was complaining about. In this case the was that it was a NODATA response but there was no NSEC3 record matching the QNAME in the response. It has now been fixed. http://dnsviz.net/d/adult/VTe7yw/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&ta=dlv.isc.org.&tk= The proof in the response indicated NXDOMAIN, but the response code didn't match. Cheers, Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
