On Tue, Mar 10, 2020 at 12:18:28PM -0700, Fred Morris wrote:
> NOERROR doesn't necessarily mean that there was an answer. The number of
> answers to the question asked can be 0, even if the FQDN (fully qualified
> domain name) exists, if some other type of information is associated with
> it. It could also be an ENT (empty non terminal), there could be
> subrecords.
Correct, NOERROR is the non-failure status code when the target name
(possibly after one or more CNAME redirects) exists. Whether or not
there it has associated records of the requested type.
Non-failure means the DNS server was able to give you a definitive
answer, it may or may not be the answer you were looking for.
C: www.example.com. IN MX ?
S: NOERROR(1/1/0): www.example.com. IN CNAME www.example.net.
example.net. IN SOA ...
The above indicates that www.example.com is aliased to www.example.net,
which exists, but has no MX records.
[ (1/1/0) means 1 answer (CNAME), 1 authority record (SOA), 0 additional ]
> NXDOMAIN means there are no records.
No, this is wrong. NXDOMAIN is the non-failure status code when the
target name (possibly after one or more CNAME redirects) does not exist.
C: www.example.com. IN MX ?
S: NXDOMAIN(1/1/0): www.example.com. IN CNAME www.example.net.
example.net. IN SOA ...
The above indicates that www.example.com is aliased to www.example.net,
which does not exist.
> SERVFAIL means that no usable records were found. This can be returned by
> your caching / recursive resolver. SERVFAIL is also the common result if
> you're using DNSSEC and your resolver becomes untethered from NTP.
No. This is wrong. SERVFAIL means that the nameserver (authoritative or
iterative) was unable to provide an answer. It has nothing to do with
"usable records". This is a catch-all "I tried to service your query,
but failed, sorry about that, better luck next time..." answer.
Yes, resolvers return SERVFAIL when the upstream answer fails DNSSEC
validation (is "bogus"), but also when the domain is lame, or upstream
queries time out, ...
--
Viktor.
