On Tue, Apr 09, 2024 at 01:09:20PM -0500, David Zych <d...@illinois.edu> wrote a message of 121 lines which said:
> The problem: when queried for a record underneath ag.gov. which does > not exist, these nameservers do not return a proper NXDOMAIN > response; instead, they don't answer at all. Funny enough, it depends on the QTYPE. % dig @ns2.usda.gov. nonono.ag.gov A ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 199.141.126.206#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov A ; (2 servers found) ;; global options: +cmd ;; no servers could be reached % dig @ns2.usda.gov. nonono.ag.gov NS ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov NS ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44750 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1220 ; COOKIE: 108e6a3526539745cbe04caf6617b75afc5cf42f25232e56 (good) ;; QUESTION SECTION: ;nonono.ag.gov. IN NS ;; AUTHORITY SECTION: ag.gov. 900 IN SOA ns1.usda.gov. duty\.officer.usda.gov. ( ... > The practical trouble this causes has to do with an increasingly popular DNS > privacy feature called QNAME Minimization, which depends upon authoritative > DNS servers like yours responding in a standards-compliant way to queries like > > _.ag.gov IN A > _.ars.ag.gov IN A > _.tucson.ars.ag.gov IN A More fun: the previous version of QNAME minimisation used QTYPE=NS. It then changed to QTYPE=A precisely to work around broken middleboxes. (And also to avoid sticking out.) _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
