[sdnog] DNS servfail vs nxdomain

[Philip Paeps]

On 2017-01-12 08:53:20 (+0100), Daniel Shaw <danielshaw at protonmail.com> wrote:
> In both cases you don't get any result. Of course.

Technically, NXDOMAIN is a result.  It means "this domain does not
exist".

> In the case of SRVFAIL - It means either the authoritative server
> could not be reached, or didn't answer to DNS queries on port 53.

Authoritative servers may also respond with SERVFAIL, e.g. in the case
of misconfigurations (zone configured but zonefile cannot be found or
cannot be parsed) or errors (e.g. expired zone on a secondary server).

You may also get SERVFAIL from a DNSSEC validating resolver when it
determines the result for the query you sent is bogus and the client
didn't indicate DNSSEC support (DO bit not set).

> And most important, as there is no actual data, nothing is cached
> either. And also, the resolver may then try other alternate
> nameservers for the domain.

Correct.  This is the fundamental difference between NXDOMAIN and
SERVFAIL: NXDOMAIN is a result and will be cached, SERVFAIL is a
(possibly transient) failure and should not be cached.

> In the case of NXDOMAIN, the authoritative server actually replies,
> but the reply is "this domain or record does not exist".

Nitpicking: it only means "this domain does not exist".  If the domain
exists but the record does not, the reply will be NOERROR with zero
answer records.

> And second, in the case of NXDOMAIN for a specific record, it'll also
> cache the answer for the TTL of the parent zone.

It'll cache it for the *negative* TTL of the parent.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information