On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis <edward.le...@icann.org> wrote:
> > E.g., while preparing this message I tried these two dig messages: > > dig somename.cloudflare.com a @ns3.cloudflare.com. > and > dig somename.cloudflare.com a > > The first returned NXDOMAIN, the later NoError/NoData. If I were a human > trying to figure out a problem with a wildcard not matching, the difference > between these two responses would be significant. (The reason existence is > defined in the wildcard document is that existence matters when applying > the synthesis rules.) > You've probably stumbled across Cloudflare's differential behavior for DO=0 vs DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned NXDOMAIN response. With DNSSEC enabled queries, it provides the Compact Answer NODATA response. Your 1st query probably was DO=0. For your 2nd query, I assume the recursive server that you used sent DO=1 queries upstream by default. Yes, this is kind of confusing, and I'm not particularly a fan of this differential behavior. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
