This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what’s the meaning of these NSEC records in mDNS response packet?

0

I got a mDNS response like this, can't understand the NSEC records in additional records section. According to rfc 6762, NSEC record in the Additional Section indicates nonexistence of record, but in the Answers Section, it does exist. So what does this mean?

Multicast Domain Name System (response)
    Transaction ID: 0x0000
    Flags: 0x8400 Standard query response, No error
    Questions: 0
    Answer RRs: 2
    Authority RRs: 0
    Additional RRs: 3
    Answers
        6.2.9.E.3.F.4.E.9.6.9.3.D.6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa: type PTR, class IN, cache flush, R-er.local
        104.1.168.192.in-addr.arpa: type PTR, class IN, cache flush, R-er.local
            Name: 104.1.168.192.in-addr.arpa
            Type: PTR (domain name PoinTeR) (12)
            .000 0000 0000 0001 = Class: IN (0x0001)
            1... .... .... .... = Cache flush: True
            Time to live: 120
            Data length: 2
            Domain Name: R-er.local
    Additional records
        6.2.9.E.3.F.4.E.9.6.9.3.D.6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa: type NSEC, class IN, cache flush, next domain name 6.2.9.E.3.F.4.E.9.6.9.3.D.6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa
        104.1.168.192.in-addr.arpa: type NSEC, class IN, cache flush, next domain name 104.1.168.192.in-addr.arpa
            Name: 104.1.168.192.in-addr.arpa
            Type: NSEC (47)
            .000 0000 0000 0001 = Class: IN (0x0001)
            1... .... .... .... = Cache flush: True
            Time to live: 120
            Data length: 6
            Next Domain Name: 104.1.168.192.in-addr.arpa
            RR type in bit map: PTR (domain name PoinTeR)
        <Root>: type OPT

asked 08 Mar '17, 21:40

jfly's gravatar image

jfly
41459
accept rate: 0%


One Answer:

2

Hello jfly

It looks like the mDNS responder has implemented an option from RFC6762:

   On receipt of a question for a particular name, rrtype, and rrclass,
   for which a responder does have one or more unique answers, the
   responder MAY also include an NSEC record in the Additional Record
   Section indicating the nonexistence of other rrtypes for that name
   and rrclass.

Since the mDNS message holds two responses, the additional NSEC record informs the client, that there are no further responses available.

answered 09 Mar '17, 13:50

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Thanks! I miss this while reading rfc.

(09 Mar '17, 17:48) jfly