Peter Koch pk at
Wed Jun 13 22:46:05 UTC 2007

On Wed, Jun 13, 2007 at 06:26:00PM +0200, Irenäus Becker wrote:

> now checks all nameserver for existing entries for affected zone. 
> If all nameservers return a NXDOMAIN (Bind) everything is fine.
> Our NSD nameservers return the status SERVFAIL. interprets this 
> return-code as an error and does not finish this transaction completely.

I haven't checked your view of's policies and/or procedures and would
appreciate a comment from AT. That said, ...

> Is it possible to return a NXDOMAIN instead of a SERVFAIL? Are there 

... SERVFAIL is probably the more protocolly correct response but not the only
possible one.
Some scenarios are listed in <draft-koch-dns-unsolicited-queries-01.txt>

> different  possibilities how this point can be resolved?

If you really need to respond NXDOMAIN (and again, I'm not saying you do),
one approach is to define an empty (lest the served delegations) parent TLD
(here: AT) zone on your server(s). But careful: there may be side effects
and you should make sure not to leak false information.  The bottom line is:
if the problem exists, it can be solved by configuration, not by teaching
nsd to violate the protocol.


More information about the nsd-users mailing list