On 2013-02-22, at 09:39, Mark Andrews <ma...@isc.org> wrote: > I can well imagine a machine doing a reverse lookup on a proposed > address and not proceeding with that address if it doesn't get a > NXDOMAIN. > > NODATA -> unsafe > NXDOMAIN -> may be safe
So, out of interest, do you think it's legitimate for an omniscient server to return something like this? (note the RCODE and the SOA RRSet returned in the authority section) ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41208 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;1.1.1.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 1.1.1.10.in-addr.arpa. 604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 1 1800 900 604800 604800 ;; Query time: 3 msec ;; SERVER: 192.175.48.6#53(192.175.48.6) ;; WHEN: Fri Feb 22 13:45:36 2013 ;; MSG SIZE rcvd: 116 That would be a simple change to the spec. We chose NOERROR/ANSWER:0 because we thought it didn't make sense to say NXDOMAIN whilst at the same time synthesising an authority-section SOA with the same owner name as the QNAME when the RCODE we're returning indicates that that owner name doesn't exist. As someone familiar with implementing the receiver side of this hack, would/should this negative answer be cached? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
