Re: nxdomain rfc2308 type 2, but authority is incorrect

[Mark Andrews <marka () isc org>]

In message <57ABB456.5020003 () ttec com>, Joe Maimon writes:
> Mark Andrews wrote:
>
> > Nameresovle.com's servers are returning answers that can be seen
> > as a cache poisioning attempt.  They are NOT authorative for
> > ".hosting" but have been configured as if they are.  This is a big
> > NO NO.  You don't configure youself as authoritative for a zone
> > that has not been delegated to you and in particular you don't
> > configure yourself as authoritative for "." or a TLD.
> >
> > Windows 2008 is quite correct in rejecting this answer.  Named would
> > as well except for the number of DNS hosters that do this sort of
> > garbage.  Named just sees the CNAME and stops processing the message
> > after that.
> >
> > Mark
>
> Thanks for the replies Mark and Bill.
>
> I think its fair to say that most DNS servers have at one time or 
> another hosted a zone they were not authoritative for according to the 
> DNS tree, as simple as a customer leaving without notice, cruft, split 
> view incorrectly configured, etc.

Having the odd leaf zone left over doesn't usually cause operational
problems.  You have to be very unlucky to be delegated a zone that
has a CNAME that points into the left over leaf zone.

In this case there is a fake TLD zone.  This isn't a left over zone.
This is a DNS hoster not understanding the DNS and the implications
of their operational decisions.

People forget nameservers return negative existance answers and
that they need to be as valid as the positive existance answers.

> In any event, windows is accepting the negative answer, BIND is 
> rejecting it and going forward with resolving the CNAME, sucessfully.
>
> Joe
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org