Re: [DNSOP] Clarification: Complete or not-complete RRSets in AUTHORITY section? (non-DNSSEC)

Mon, 10 Apr 2017 15:47:16 -0700 

In message <[email protected]>, 
=?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= writes:
> Hi there,
>
> I am seeking clarification on NS RRSet completeness
> in AUTHORITY section as we are tackling one particular
> RPL test from Unbound (iter_pcname.rpl).
>
> Imagine a situation where parent (.net/.com NS) gives this glue:
>
> QUESTION
> <anything>.example.com. IN A
> ANSWER
> AUTHORITY
> example.com. IN NS ns.example.net.
> example.com. IN NS ns.example.com.
> ADDITIONAL
> ns.example.net. IN A 10.0.0.1
> ns.example.com. IN A 10.0.0.2
>
> ~~~
>
> ns.example.net. gives
>
> QUESTION
> www.example.com. IN A
> ANSWER
> www.example.com. IN A 10.10.10.1
> AUTHORITY
> example.com. IN NS ns.example.com.
> ADDITIONAL
> ns.example.com. IN A 10.0.0.2
>
> ~~~
>
> ns.example.com. just returns SERVFAIL
>
> ~~~
>
> And resolver is asked to resolve:
>
> Step 1:
> www.example.com. -> OK, returns 10.10.10.1
>
> Step 2:
> mail.example.com. -> SERVFAIL, because the NS RRset has been
> overwritten by www.example.com ANSWER data from AUTHORITY
> due RFC 2181 5.4.1 Ranking:
>
> > Data from the authority section of an authoritative answer,
>
> Thus only ns.example.com. is asked and it SERVFAILs.
>
> ~~~
>
> In my understanding it should be ok to return SERVFAIL,
> because there's no way to honor the 5.4.1 Ranking and
> not fail.  Or am I missing something really obvious?

SERVFAIL is fine.  Why people expect the DNS to "work" when they
do stupidity like this I do not know.

The parent zone administrators should be complaining that the
delegating NS records do not match those served by the zone.

Mark

> Ondrej
> --
>  Ondej Sur -- Technical Fellow
>  --------------------------------------------
>  CZ.NIC, z.s.p.o.    --     Laboratoe CZ.NIC
>  Milesovska 5, 130 00 Praha 3, Czech Republic
>  mailto:[email protected]    https://nic.cz/
>  --------------------------------------------
>
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to