Reply Code 0x8083 vs 0x8080
Jiann-Ming Su
su_js1 at yahoo.com
Thu May 29 22:53:18 UTC 2014
> On Thursday, May 29, 2014 6:32 PM, Mark Andrews <marka at isc.org> wrote:
> >
> In message <53879683.2080500 at chrysler.com>, Kevin Darcy writes:
>> Why the different RCODES? See RFC 2308. Short version: the
> "NODATA"
>> response occurs when the QNAME exists, but no records match QTYPE. It
>> will also occur if the QNAME is merely a "branch" to something
> further
>> down in the hierarchy (a so-called "empty non-terminal"), and
> owns no
>> records of its own.
>>
>> I'm not sure why NODATA would inhibit search-suffixing, but I just
>> confirmed on a Linux platform that it does. Weird.
>>
>> - Kevin
>
> Actually is it perfectly logical and fixes a long standing security
> bug. A name should refer to a single node in the DNS not multiple
> nodes depending upon the query type. A search should always end
> on the same node independent of query type.
>
> What is broken is putting a bare SRV prefix into res_search.
> res_search was not designed for that type of searching and doing
> so introduces the sort of security errors talked about in RFC 1535.
>
Mark,
Thanks again for your insights. The troublesome app is the same one you responded to me about back in February when I was asking about recursion and auth responses. While it does appear the app may not be following best practices in its DNS queries, do you have insights as to why BIND would respond NoError on one query and NXDomain on another?
I'm reading through RFC 1535 now and will forward that along to the application owners.
More information about the bind-users
mailing list