Help on NXDOMAIN to try next forwarder in the list
Barry Margolin
barmar at alum.mit.edu
Fri May 31 16:13:20 UTC 2013
In article <mailman.395.1370014330.20661.bind-users at lists.isc.org>,
John Wobus <jw354 at cornell.edu> wrote:
> I will add my +1:
>
> NXDOMAIN does not mean "I don't have a number for that name but
> someone else
> might." It means "The DNS lists this name as having no number (or
> whatever)."
> There's no more reason to look further than if you got a positive
> answer from one server and still wondered if some other DNS server
> might say something else. You might just as well recheck positive
> A-record answers with other servers because they might say NXDOMAIN.
>
> The only reason to look further is if you are monitoring
> for inconsistencies/brokenness.
>
> "Settling time" is an issue, e.g. when you don't have an
> effective NOTIFY authoritative servers temporarily disagree
> for a significant interval. Still, if you get two answers
> (one NXDOMAIN and one A record) from servers, there is no
> way to tell which is "correct", just as if you got two different
> A-record answers. It's up to the zone's maintainer to assure
> the (hopefully temporary) inconsistency doesn't cause issues.
Theoretically, clients could query multiple servers, and we could have
required them to include the SOA serial number in all replies, and the
client could select the answer with the highest serial.
But that's not how the protocol was designed. DNS makes a trade-off
between overhead and perfection -- it makes extensive use of caching,
and it's understood that there will be windows during which different
clients may have different views of a record. TTLs, refresh times, and
NOTIFY allow DNS administrators to limit the size of those windows.
Application developers are expected to work around this at higher
levels, as best they can.
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list