Hi! I recently enabled DNSSEC, and I have a few basic questions that I’ve had a really hard time googling. I’ve tried looking over the Cloudflare docs, but there are so many of them and they often conflict with each other. Any help would be greatly appreciated.
Ever since I enabled DNSSEC, dig returns “NOERROR” rather than “NXDOMAIN” for records that don’t exist. I can understand why this would be (NSEC), but what confuses me is that, based on my DNS analytics, my domain is still serving a very small number of NXDOMAIN status codes (about 1 in 5,000). How is this possible, and what could be generating them?
I have also noticed a handful of “REFUSED” responses. They’re even rarer than NXDOMAIN (about 1 in 10,000), and I can’t recall ever seeing one before enabling DNSSEC. What kind of situations cause Cloudflare to serve this response? What could be the reason I’ve never seen any in my analytics until after enabling DNSSEC?
I have some 4th-level subdomains (type: TXT) on a 3rd-level subdomain that doesn’t exist. For example, I have some records like a.node.example.com and b.node.example.com, but node.example.com doesn’t exist. My understanding is that this is relatively normal, okay to do, and is referred to as an “empty non-terminal.” They function just fine, but here’s where it gets weird:
When I dig for node.example.com using the dnssec flag, the NSEC response contains every RR type except the one I searched for. For example, if I run “dig A node.example.com +dnssec”, the NSEC looks like this:
NSEC \000.doesnotexist.example.com. RRSIG NSEC
NSEC \000.definitely.doesnotexist.example.com. RRSIG NSEC
Why do I receive different NSEC responses for non-existent subdomains that do and do not have subdomains of their own? Is this normal, or indicative of a problem? Would there be any benefits to just avoiding empty non-terminals or even all subdomains more than 1 layer deep completely (assuming that SSL is not a factor)?
Thank you so much.