# DVE-2017-0008: Cloudflare omits SOA from NOERROR/NODATA response to DS query

## Description

`nominet.uk` is hosted on the Cloudflare DNS servers, and signed.
`info.nominet.uk` is an unsigned delegation to non-Cloudflare DNS servers.

DS queries for `info.nominet.uk` get an RFC 2308 type 3 response from Cloudflare - no SOA nor NS records in the authority section.
The missing SOA prevents negative cacheing from working.

With a DO=1 query, the response includes an NSEC proof of nonexistence and an RRSIG NSEC.
This makes BIND fail to recognize the response as a valid negative response.

Other negative responses from Cloudflare are RFC 2308 type 2, with a SOA.
Unsigned delegations from domains hosted on Cloudflare seem to be rare,
so almost all of their negative responses are OK.

## Evidence
    
    ; <<>> DiG 9.12.0-dev <<>> +multiline +dnssec +norec @173.245.58.93 info.nominet.uk ds
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30803
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 512
    ;; QUESTION SECTION:
    ;info.nominet.uk.	IN DS
    
    ;; AUTHORITY SECTION:
    info.nominet.uk.	3600 IN	NSEC info\000.nominet.uk. NS RRSIG NSEC
    info.nominet.uk.	3600 IN	RRSIG NSEC 13 3 3600 (
    				20170127130916 20170125110916 35273 nominet.uk.
    				eRwjoEkjqHEC54J3dmp3Q6gJdQznPba6X697aYcds0YB
    				VE3MhfGWUw2Qbn9HnctJJRRyfutZPKpABOsXaHOHMQ== )
    
    ;; Query time: 8 msec
    ;; SERVER: 173.245.58.93#53(173.245.58.93)
    ;; WHEN: Thu Jan 26 12:09:16 GMT 2017
    ;; MSG SIZE  rcvd: 188
    
    
## Proposed fix

Include the SOA and RRSIG SOA in the negative DS response.