Wouter Wijngaards wouter at
Thu Jun 14 07:12:27 UTC 2007

Hash: SHA1

Peter Koch wrote:
> On Wed, Jun 13, 2007 at 06:26:00PM +0200, Irenäus Becker wrote:
>> Is it possible to return a NXDOMAIN instead of a SERVFAIL? Are there 
> ... SERVFAIL is probably the more protocolly correct response but not the only
> possible one.
> Some scenarios are listed in <draft-koch-dns-unsolicited-queries-01.txt>
>> different  possibilities how this point can be resolved?
> If you really need to respond NXDOMAIN (and again, I'm not saying you do),
> one approach is to define an empty (lest the served delegations) parent TLD
> (here: AT) zone on your server(s). But careful: there may be side effects
> and you should make sure not to leak false information.  The bottom line is:
> if the problem exists, it can be solved by configuration, not by teaching
> nsd to violate the protocol.

I agree with Peter here.
NSD returns SERVFAIL as it has no zone RR information. At the very least
NSD needs a SOA RR for the zone; it will then return NXDOMAIN for
everything else in the zone. I do not know if accepts that.

In query.c, line 1084, change
        q->zone = domain_find_zone(closest_encloser);
        if (!q->zone) {
                if(q->cname_count == 0)
- -                        RCODE_SET(q->packet, RCODE_SERVFAIL);
        q->zone = domain_find_zone(closest_encloser);
        if (!q->zone) {
                if(q->cname_count == 0)
+                        RCODE_SET(q->packet, RCODE_NXDOMAIN);
to teach NSD to violate the protocol.

This change should never get into the NSD source as it violates the
protocol (and could cause nasty effects for some misconfigurations;
zones becoming unresolvable 'help my website disappeared').
As Peter says, configure the parent zone .at to get the same effect
without recompile.

Best regards,
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the nsd-users mailing list