1. DNS/NXDOMAIN/cz
cz and nic.cz have [a-d].ns.nic.cz as the NS.
$ dnsq ns cz a.root-servers.net
2 cz: 267 bytes, 1+0+4+8 records, response, noerror query: 2 cz authority: cz 172800 NS d.ns.nic.cz authority: cz 172800 NS c.ns.nic.cz authority: cz 172800 NS b.ns.nic.cz authority: cz 172800 NS a.ns.nic.cz additional: d.ns.nic.cz 172800 A 193.29.206.1 ...
If you send query to a.ns.nic.cz for nonexistent.a.ns.nic.cz NS, you will get following response.
$ dnsq ns nonexistent.a.ns.nic.cz a.ns.nic.cz
2 nonexistent.a.ns.nic.cz: 88 bytes, 1+0+1+0 records, response, authoritative, nxdomain query: 2 nonexistent.a.ns.nic.cz authority: nic.cz 1800 SOA a.ns.nic.cz hostmaster.nic.cz 1457618104 10800 3600 1209600 7200
Can we tell "There is nic.cz zone." ? Yes.
- And we can tell nic.cz has the a.ns.nic.cz NS.
- We can also tell "There is no ns.nic.cz zone."
- We should know that a.ns.nic.cz zone does not exist.
-- ToshinoriMaeno 2016-03-15 12:30:24
If we use the information obtained from NXDOMAIN reply, we can protect the SOA label domain name and underneath from NS poisoning attack.
- e.g. nic.cz and ns.nic.cz
Cache poisoning attack will not be effective at least negative caching TTL seconds.
-- ToshinoriMaeno 2016-03-14 14:39:27
https://twitter.com/beyondDNS/status/709705732472442881
SOA record of NXDOMIN response means
there are no zones above (and including) the query name and under the SOA label (zone).
2. QA
SOA tells you where is the closest zone cut, ns.nic.cz might still have A or TXT or whatever.
- ns.nic.cz does not have NS! This is the difference.
What if you introduce the http://ns.nic.cz zone cut in the nic.cz zone at some point?
- Negative caching of ns.nic.cz TTL should be the same as other negative caching record.