In message <[email protected]>, Peter van Dijk writes: > Hello, > > first of all, let me say that I could be wrong. Both NSD and BIND violating an > RFC in the same way does not sound like the most likely scenario to me. > However, I want to be sure. > > For a CNAME pointing to a non-existing name in the same zone, BIND and NSD > return NOERROR, and do not include a SOA record in the AUTHORITY section. > According to my reading of RFC2308 section 1 (definition of QNAME) and section > 2.1, they should return NXDOMAIN and include the SOA. > > RFC6604 (which updates 2308) section 3 restates, according to my reading, the > same. > > Given a zone example.com with the usual records (SOA, couple of NSes) at the > apex, plus these records: > > ns1 IN A 192.168.1.1 > ns2 IN A 192.168.1.2 > nxd IN CNAME nxdomain.example.com. > > BIND returns: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49021 > ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;nxd.example.com. IN ANY > > ;; ANSWER SECTION: > nxd.example.com. 120 IN CNAME nxdomain.example.com. > > ;; AUTHORITY SECTION: > example.com. 120 IN NS ns2.example.com. > example.com. 120 IN NS ns1.example.com. > > ;; ADDITIONAL SECTION: > ns1.example.com. 120 IN A 192.168.1.1 > ns2.example.com. 120 IN A 192.168.1.2
You asked a ANY query. ANY and CNAME have different processing rules. The query is NOT restarted with the target of the CNAME. See RFC 1034. > NSD returns the same minus the ra flag. > > PowerDNS, however, returns: You asked a different question (A != ANY). If you want to compare answers you need to ask IDENTICAL questions. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34897 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 2800 > ;; QUESTION SECTION: > ;nxd.example.com. IN A > > ;; ANSWER SECTION: > nxd.example.com. 120 IN CNAME nxdomain.example.com. > > ;; AUTHORITY SECTION: > example.com. 86400 IN SOA ns1.example.com. > ahu.example.com. 2000081501 28800 7200 604800 86400 > > ;; Query time: 1 msec > ;; SERVER: 127.0.0.1#5300(127.0.0.1) > ;; WHEN: Fri Oct 26 13:06:46 2012 > ;; MSG SIZE rcvd: 111 > > > The relevant difference here is NXDOMAIN instead of NOERROR, and the addition > of the SOA. PowerDNS not including the NS records plus their IPs is > inconsequential to the issue, as far as I can tell. > > On a sidenote, NSD does include an NSEC3 denying existence of > nxdomain.example.com when DNSSEC+NSEC3 are enabled. I did not verify this for > BIND. PowerDNS currently does not generate this NSEC3 but this will be fixed > shortly. > > Opinions welcome! > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
