Do you like long terminology discussions, backed by a dozen RFC, where
people disagree on what's written in these RFC? If so, read on.
This issue was spotted by Peter van Dijk. It is about
draft-ietf-dnsop-nxdomain-cut-05, recently approved by IESG. The
problem is the definition of "QNAME" when there is a CNAME chain.
Section 1.1 says:
> "Denied name": the domain name whose existence has been denied by a
> response of rcode NXDOMAIN. In most cases, it is the QNAME but,
> because of [RFC6604], it is not always the case.
And section 2:
> Warning: if there is a chain of CNAME (or DNAME), the name which
> does not exist is the last of the chain ([RFC6604]) and not the
> QNAME. The NXDOMAIN stored in the cache is for the denied name, not
> always for the QNAME.
This text in draft-ietf-dnsop-nxdomain-cut-05 assumes that the QNAME
is the owner name in the Question Section. But RFC 2308 thinks otherwise:
> "QNAME" - the name in the query section of an answer, or where this
> resolves to a CNAME, or CNAME chain, the data field of the last
RFC 1034 had a different definition of QNAME but is not clear on the
specific case of CNAME chains:
> A standard query specifies a target domain name (QNAME)
RFC 7719 does not define QNAME (probably because it seemed obvious).
So, which is right? In this DNS query:
% dig A www.afnic.fr
; <<>> DiG 9.10.3-P4-Ubuntu <<>> A www.afnic.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35551
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.afnic.fr. IN A
;; ANSWER SECTION:
www.afnic.fr. 213 IN CNAME www.nic.fr.
www.nic.fr. 213 IN CNAME lb01-1.nic.fr.
lb01-1.nic.fr. 213 IN A 184.108.40.206
;; Query time: 875 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Tue Sep 20 18:11:06 CEST 2016
;; MSG SIZE rcvd: 100
Is the QNAME "www.afnic.fr" or "lb01-1.nic.fr" ("the data field of the
DNSOP mailing list