## page was renamed from DNS/返答/NXDOMAIN/cz2
## page was renamed from DNS/NXDOMAIN/cz
== DNS/NXDOMAIN/cz ==
cz and nic.cz have [a-d].ns.nic.cz as the NS.

$ dnsq ns cz a.root-servers.net
{{{
2 cz:
267 bytes, 1+0+4+8 records, response, noerror
query: 2 cz
authority: cz 172800 NS d.ns.nic.cz
authority: cz 172800 NS c.ns.nic.cz
authority: cz 172800 NS b.ns.nic.cz
authority: cz 172800 NS a.ns.nic.cz
additional: d.ns.nic.cz 172800 A 193.29.206.1
...
}}}

If you send query to a.ns.nic.cz for nonexistent.a.ns.nic.cz NS, you will get following response.

$ dnsq ns nonexistent.a.ns.nic.cz a.ns.nic.cz
{{{
2 nonexistent.a.ns.nic.cz:
88 bytes, 1+0+1+0 records, response, authoritative, nxdomain
query: 2 nonexistent.a.ns.nic.cz
authority: nic.cz 1800 SOA a.ns.nic.cz hostmaster.nic.cz 1457618104 10800 3600 1209600 7200
}}}

Can we tell "There is nic.cz zone." ? Yes.
  And we can tell nic.cz has the a.ns.nic.cz NS.
　We can also tell "There is no ns.nic.cz zone."
 
  We should know that a.ns.nic.cz zone does not exist.

-- ToshinoriMaeno <<DateTime(2016-03-15T21:30:24+0900)>>

----
If we use the information obtained from NXDOMAIN reply,
we can protect the SOA label domain name and underneath from NS poisoning attack.
  e.g. nic.cz and ns.nic.cz

Cache poisoning attack will not be effective at least negative caching TTL seconds.

-- ToshinoriMaeno <<DateTime(2016-03-14T23:39:27+0900)>>

https://twitter.com/beyondDNS/status/709705732472442881

SOA record of NXDOMIN response means 
{{{
 there are no zones above (and including) the query name and under the SOA label (zone).
}}}
== QA ==
{{{
SOA tells you where is the closest zone cut, ns.nic.cz  might still have A or TXT or whatever.
}}}
  ns.nic.cz does not have NS!  This is the difference.
{{{
What if you introduce the http://ns.nic.cz  zone cut in the nic.cz zone at some point?　
}}}
　Negative caching of ns.nic.cz TTL should be the same as other negative caching record.