<dnsext-chair-hat=on>
Strictly speaking this is dnsext fodder not dnsop as the RFC's quoted
are under DNSEXT change control.
Please move the discussion there.
<dnsext-chair-hat=off>
On 26/10/2012 09:25, Peter van Dijk wrote:
Hello Mark,
Thank you for your swift and accurate response.
On Oct 26, 2012, at 15:12 , Mark Andrews wrote:
You asked a ANY query. ANY and CNAME have different processing rules.
The query is NOT restarted with the target of the CNAME. See RFC 1034.
NSD returns the same minus the ra flag.
PowerDNS, however, returns:
You asked a different question (A != ANY). If you want to compare
answers you need to ask IDENTICAL questions.
My mistake.
NSD:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34556
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;nxd.example.com. IN A
;; ANSWER SECTION:
nxd.example.com. 120 IN CNAME nxdomain.example.com.
This is perfectly OK as NSD in this case is not performing the
optional server side CNAME processing.
The cname exists thus this is a valid answer and valid RCODE.
A recursive resolver now has to ask for nxdomain.example.com and will
get the no name error.
BIND, PowerDNS (same except for ra flag)
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4382
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;nxd.example.com. IN A
;; ANSWER SECTION:
nxd.example.com. 120 IN CNAME nxdomain.example.com.
;; AUTHORITY SECTION:
example.com. 86400 IN SOA ns1.example.com.
ahu.example.com. 2000081501 28800 7200 604800 86400
This is fine as well but harder to understand :-) as the RCODE refers to
the target of the CNAME not the qname.
To be complete:
- for the A query, BIND and PowerDNS return NXDOMAIN+SOA, NSD returns NOERROR.
- for the ANY query, NSD and BIND return NOERROR, PowerDNS returns
NXDOMAIN+SOA.
Then, as far as I can tell, BIND and PowerDNS do the right thing for the A
query. NSD and BIND do the right thing for the ANY query, going from Mark's
interpretation of the RFCs.
However, 2308 and 6604 totally ignore the ANY exception to following CNAME
chains, and one might argue that thus, 2308 and 6604 still mean that QNAME is
the end of the CNAME chain in the response, and the RCODE thus should be
NXDOMAIN. I think this argument could go either way.
s
Unless conflicting opinions come in, I will fix PowerDNS to do the right thing
for ANY, and will report the A query issue to the NSD developers.
In the case of ANY IMHO no CNAME processing should take place.
And I encourage you to file errata against the RFC's that we can discuss
on the dnsext mailing list, before it is approved.
Kind regards,
Good observations.
thanks
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
