SERVFAIL <=> NXDOMAIN
Irenäus Becker
becker at dominic.de
Fri Jun 15 09:55:36 UTC 2007
Hi,
thank you very much. This helps us to solve our problems.
Best regards,
Irenäus
>> Nic.at now checks all nameserver for existing entries for affected zone.
>> If all nameservers return a NXDOMAIN (Bind) everything is fine.
>> Our NSD nameservers return the status SERVFAIL. Nic.at interprets this
>> return-code as an error and does not finish this transaction completely.
>>
>
> I haven't checked your view of nic.at's policies and/or procedures and would
> appreciate a comment from AT. That said, ...
>
>
>> Is it possible to return a NXDOMAIN instead of a SERVFAIL? Are there
>>
>
> ... SERVFAIL is probably the more protocolly correct response but not the only
> possible one.
> Some scenarios are listed in <draft-koch-dns-unsolicited-queries-01.txt>
>
>
>> different possibilities how this point can be resolved?
>>
>
> If you really need to respond NXDOMAIN (and again, I'm not saying you do),
> one approach is to define an empty (lest the served delegations) parent TLD
> (here: AT) zone on your server(s). But careful: there may be side effects
> and you should make sure not to leak false information. The bottom line is:
> if the problem exists, it can be solved by configuration, not by teaching
> nsd to violate the protocol.
>
> -Peter
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20070615/f58e429e/attachment.htm>
More information about the nsd-users
mailing list