DNS/NXDOMAIN/4つのタイプ
Contents
問い合せ(ドメイン)名が存在しないことを示すのがNXDOMAIN (RCODE) らしいのだが、おかしい。
Name errors (NXDOMAIN) are indicated by the presence of "Name Error" in the RCODE field. In this case the domain referred to by the QNAME does not exist. Note: the answer section may have SIG and CNAME RRs and the authority section may have SOA, NXT [RFC2065] and SIG RRsets.
「CNAMEの先が存在しない」なんてことまで調べるのか。
- なぜこういう例をあげたのだろう。 (ドメイン名が存在しないことと、レコードを持たないこととが混同されているような気がする。)
NXDOMAIN responses can be categorised into four types by the contents of the authority section.
Answer が CNAME なので、 Authority Section がつけられるようだが。 (毒
NXDOMAIN RESPONSE: TYPE 1.
Header: RDCODE=NXDOMAIN
Query: AN.EXAMPLE. A
Answer: AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority: XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
XX. NS NS1.XX.
XX. NS NS2.XX.
Additional:
NS1.XX. A 127.0.0.2
NS2.XX. A 127.0.0.3
NXDOMAIN RESPONSE: TYPE 2.
Header: RDCODE=NXDOMAIN
Query: AN.EXAMPLE. A
Answer: AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority: XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
Additional: <empty>
NXDOMAIN RESPONSE: TYPE 3.
Header: RDCODE=NXDOMAIN
Query: AN.EXAMPLE. A
Answer: AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority: <empty>
Additional: <empty>
NXDOMAIN RESPONSE: TYPE 4
Header: RDCODE=NXDOMAIN
Query: AN.EXAMPLE. A
Answer: AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority: XX. NS NS1.XX.
XX. NS NS2.XX.
Additional: NS1.XX. A 127.0.0.2
NS2.XX. A 127.0.0.3
REFERRAL RESPONSE.
Header: RDCODE=NOERROR
Query: AN.EXAMPLE. A
Answer: AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority: XX. NS NS1.XX.
XX. NS NS2.XX.
Additional: NS1.XX. A 127.0.0.2
NS2.XX. A 127.0.0.3- Note, in the four examples of NXDOMAIN responses, it is known that the name "AN.EXAMPLE." exists, and has as its value a CNAME record. The NXDOMAIN refers to "TRIPPLE.XX", which is then known not to exist. On the other hand, in the referral example, it is shown that "AN.EXAMPLE" exists, and has a CNAME RR as its value, but nothing is known one way or the other about the existence of "TRIPPLE.XX", other than that "NS1.XX" or "NS2.XX" can be consulted as the next step in obtaining information about it.
Where no CNAME records appear, the NXDOMAIN response refers to the name in the label of the RR in the question section.
2.1.1 Special Handling of Name Error
TYPE 2 NX DOMAIN だけを使うようにという勧告 (動作不良のリゾルバーが理由とある)
- To alleviate this problem it is recommended that servers that are authoritative for the NXDOMAIN response only send TYPE 2 NXDOMAIN responses, that is the authority section contains a SOA record and no NS records.
3 - Negative Answers from Authoritative Servers
- Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. This is required so that the response may be cached. The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer. The TTL SIG record associated with the SOA record should also be trimmed in line with the SOA's TTL. If the containing zone is signed [RFC2065] the SOA and appropriate NXT and SIG records MUST be added.
NS についてはふれられていない。 SOAをキャッシュするかどうかも任意のようだが、そうではない。
8 - Changes from RFC 1034
- Negative caching in resolvers is no-longer optional, if a resolver caches anything it must also cache negative answers. Non-authoritative negative answers MAY be cached. The SOA record from the authority section MUST be cached. Name error
indications must be cached against the tuple <query name, QCLASS>. No data indications must be cached against <query name, QTYPE, QCLASS> tuple.