[NCAP-Discuss] NOERROR vs. NXDOMAIN behavior

James Galvin galvin at elistx.com
Thu Sep 14 13:02:03 UTC 2023 

Thanks for doing this Casey.  This is indeed good news.  We need to make sure to capture this in our report.

My support for your NOERROR proposal has just increased dramatically.

Thanks,

Jim


On 13 Sep 2023, at 15:56, Casey Deccio wrote:

> Dear all,
>
> In the last NCAP call (Aug 30, 2023), I was tasked with three items related to the proposal of the delegation of the nearly empty TLD zone, as proposed:
>
> 1. Test NODATA (NOERROR with empty answer) vs. NXDOMAIN behavior in a variety of environments to see what the differences are observed and what problems might be encountered.
>
> 2. Communicate with Cloudflare representatives to find out what issues, if any, they have experienced with returning NODATA instead of NXDOMAIN.
>
> 3. Draft text to formalize the delegation of the technique involving the delegation of nearly empty TLD zone, for use in the report 2 recommendations and appendix.
>
>
>
> In this email, I will address the first two of these.  The third is still in process.
>
> 1. I have tested name resolution behavior with respect to NODATA vs. NXDOMAIN in the following ways:
>
> - Windows: getaddrinfo(), Edge, Firefox, Chrome, ping, ssh, RDP, and SMB (file sharing).
> - MacOS: getaddrinfo(), Safari, Firefox, Chrome, ping, ssh
> - Debian GNU/Linux: getaddrinfo(), nslookup, Firefox, ssh
>
> In each of these cases, I have examined behavior when using domains that would end up as either NXDOMAIN or NODATA, including both unqualified and fully-qualified domain names.  In all that testing, I found the following:
>
> - getaddrinfo() on Linux is the only library that, in practice distinguishes between NODATA and NXDOMAIN.  The Windows getaddrinfo() API has two separate error codes for the two statuses, but it isn't supported in practice.  The getaddrinfo() API for MacOS has only a single error code; thus, it doesn't even have a place to support a distinction.
>
> - The only place where I found difference in behavior was when using a fully-qualified domain name on Chrome on MacOS.  The DNS lookups differed slightly, but the overall behavior presented to the user was the same.
>
> I can share more details about my testing, but not in this email.
>
>
> 2. I have communicated with folks at Cloudflare about their experience with returning NODATA in response to queries that would otherwise return NXDOMAIN.  The answer was that they have received "no reports of DNS operational issues related to 'minimal answers'".
>
>
> 3. Still working on my writeup.
>
> Thanks,
>
> Casey
>
>
> _______________________________________________
> NCAP-Discuss mailing list
> NCAP-Discuss at icann.org
> https://mm.icann.org/mailman/listinfo/ncap-discuss
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

More information about the NCAP-Discuss mailing list