Skip to content

NOERROR generated for nonexistent if empty non-terminal exists

Viktor Dukhovni and I sat down at IETF and we finally found the error that has been causing TLSA lookups to fail in Knot DNS:

$ dig +dnssec IN TLSA _25._tcp.rfc6594.org @master.dns.rocks
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 42468
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION:
;; _25._tcp.rfc6594.org.		IN	TLSA

;; AUTHORITY SECTION:
rfc6594.org.        	60	IN	SOA	master.dns.rocks. ondrej.sury.org. 1468917149 86400 7200 3600000 60
*.rfc6594.org.      	60	IN	NSEC	mail._domainkey.rfc6594.org. A AAAA RRSIG NSEC
mail._domainkey.rfc6594.org.	60	IN	NSEC	_xmpp-client._tcp.rfc6594.org. TXT RRSIG NSEC
rfc6594.org.        	3600	IN	RRSIG	SOA 8 2 3600 20160802083229 20160719083229 30931 rfc6594.org. HVVWGA2968T2Z9qkixFX1fMmUER17L1DzDCY3pMV1M4HoIochX5P6QAi9vsJV8NMG/KWXX98NTiYDTw56+WhdWxTctwzlQ2fV4bCTQYKi1aRggP6Myvw3y0+LgEo4vrTqfVyZZB/uYCNacKpldC4fFMXfQfpFkTUcfQymsVcQoA=
*.rfc6594.org.      	60	IN	RRSIG	NSEC 8 2 60 20160802083229 20160719083229 30931 rfc6594.org. lRnVPBK8WpVIaX7zKfOR12UHBH6q2/edlmJGg5fzOopSFzAdA7W3DcM0wkJQKtOpcl3P3qsfslnyt/F8XSuJdzGCptXdmtEqGgE4fSC8bEyOWGi8I01za1L8J9YM99Blrz/+AO2UQycw0gsHA+xRn/j6RUbahF6yO+Vegr33MIQ=
mail._domainkey.rfc6594.org.	60	IN	RRSIG	NSEC 8 4 60 20160802083229 20160719083229 30931 rfc6594.org. Pis1nyzflxbxrJDSg9zJnn8H14ZQryHGcRkfnXJPQYjjHyxOQkR6ZVfV79JxBYvN2FKng2xqMjurH3Vp6NRsKnImtRTsBpSW4/97Nj6hUqsdrNArtC+cNdmB8fudqLIy482LKSUZME39lmVm9YjQYKi8FGDLx36zv4yzCdYa7Ao=

;; Received 747 B
;; Time 2016-07-19 10:39:06 CEST
;; From 2a01:5f0:c001:122:a8::75@53(UDP) in 28.8 ms

vs BIND that gots that right:

$ dig +dnssec IN TLSA _25._tcp.rfc6594.org @trubka.network.cz
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 53738
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION:
;; _25._tcp.rfc6594.org.		IN	TLSA

;; AUTHORITY SECTION:
rfc6594.org.        	60	IN	SOA	master.dns.rocks. ondrej.sury.org. 1468917149 86400 7200 3600000 60
rfc6594.org.        	60	IN	RRSIG	SOA 8 2 3600 20160802083229 20160719083229 30931 rfc6594.org. HVVWGA2968T2Z9qkixFX1fMmUER17L1DzDCY3pMV1M4HoIochX5P6QAi9vsJV8NMG/KWXX98NTiYDTw56+WhdWxTctwzlQ2fV4bCTQYKi1aRggP6Myvw3y0+LgEo4vrTqfVyZZB/uYCNacKpldC4fFMXfQfpFkTUcfQymsVcQoA=
mail._domainkey.rfc6594.org.	60	IN	NSEC	_xmpp-client._tcp.rfc6594.org. TXT RRSIG NSEC
mail._domainkey.rfc6594.org.	60	IN	RRSIG	NSEC 8 4 60 20160802083229 20160719083229 30931 rfc6594.org. Pis1nyzflxbxrJDSg9zJnn8H14ZQryHGcRkfnXJPQYjjHyxOQkR6ZVfV79JxBYvN2FKng2xqMjurH3Vp6NRsKnImtRTsBpSW4/97Nj6hUqsdrNArtC+cNdmB8fudqLIy482LKSUZME39lmVm9YjQYKi8FGDLx36zv4yzCdYa7Ao=

;; Received 522 B
;; Time 2016-07-19 10:39:42 CEST
;; From 2001:1568:b::145@53(UDP) in 17.5 ms