Some basic but seemingly impossible to google DNSSEC questions

Hi! I recently enabled DNSSEC, and I have a few basic questions that I’ve had a really hard time googling. I’ve tried looking over the Cloudflare docs, but there are so many of them and they often conflict with each other. Any help would be greatly appreciated.

  1. Ever since I enabled DNSSEC, dig returns “NOERROR” rather than “NXDOMAIN” for records that don’t exist. I can understand why this would be (NSEC), but what confuses me is that, based on my DNS analytics, my domain is still serving a very small number of NXDOMAIN status codes (about 1 in 5,000). How is this possible, and what could be generating them?

  2. I have also noticed a handful of “REFUSED” responses. They’re even rarer than NXDOMAIN (about 1 in 10,000), and I can’t recall ever seeing one before enabling DNSSEC. What kind of situations cause Cloudflare to serve this response? What could be the reason I’ve never seen any in my analytics until after enabling DNSSEC?

  3. I have some 4th-level subdomains (type: TXT) on a 3rd-level subdomain that doesn’t exist. For example, I have some records like a.node.example.com and b.node.example.com, but node.example.com doesn’t exist. My understanding is that this is relatively normal, okay to do, and is referred to as an “empty non-terminal.” They function just fine, but here’s where it gets weird:

When I dig for node.example.com using the dnssec flag, the NSEC response contains every RR type except the one I searched for. For example, if I run “dig A node.example.com +dnssec”, the NSEC looks like this:

NSEC \000.node.example.com. HINFO MX TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 TYPE65 SPF URI CAA

What confuses me is that, if I dig for other non-existent hosts e.g. doesnotexist.example.com or definitely.doesnotexist.example.com, the NSEC record returns only RRSIG and NSEC. It looks like:

NSEC \000.doesnotexist.example.com. RRSIG NSEC
or
NSEC \000.definitely.doesnotexist.example.com. RRSIG NSEC

Why do I receive different NSEC responses for non-existent subdomains that do and do not have subdomains of their own? Is this normal, or indicative of a problem? Would there be any benefits to just avoiding empty non-terminals or even all subdomains more than 1 layer deep completely (assuming that SSL is not a factor)?

Thank you so much.

Hi. Gonna bump this thread one time. It’s not the end of the world if I don’t get answers, but if anybody who (unlike me) does know what they’re talking about could chime in I would greatly appreciate it. Thank you.

  • tls2point0

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.