On 2012-04-04, at 11:31, Tony Finch wrote: > I think BIND treats NXDOMAIN replies with the wrong authority as a > FORMERR. Domainers are returning positive replies which BIND does not > subject to a SOA sanity check.
monster.hopcount.ca is serving the fake (empty apart from apex SOA/NS and glue) root zone (and nothing else). hopcount.ca. has delegation empty.hopcount.ca. NS monster.hopcount.ca. I tested unbound 1.4.9 unbound 1.4.13 BIND 9.8.1-P1 Google DNS OpenDNS by sending queries "EMPTY.HOPCOUNT.CA/IN/A" and "EMPTY.HOPCOUNT.CA/IN/PTR". OpenDNS lied about the answer when I asked for an A, but that's to be expected with their public service (and I guess suggests that there's nothing remarkable about empty.hopcount.ca as far as it is concerned). All other nameservers gave a prompt NXDOMAIN. I think the observation that this is not actually the same as what the domainers do (since these are negative responses, and domainers return answer section data) is a good one, but I don't see the problem you mention in the wild. Admittedly I only tested a small set of servers. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
