bert hubert <> wrote:
> In writing this server and while consulting with some other implementors, I
> for now have decided that in 2018 it makes no sense to:
> 1) chase CNAMEs that point to another zone
> 2) look for glue outside of the zone
> Given that any resolver will ignore those answers anyhow. But I wonder, is
> this ok, and do we already have words on if chasing CNAMEs outside of zones
> is mandatory or not?

I'm slightly surprised that Evan and Mukund haven't mentioned this, but
BIND 9.1 to 9.11 had additional-from-cache and additional-from-auth
options which controlled this behaviour. (I turned them off on my servers
years ago.) In 9.12 the options have been removed and authoritative
answers never chase around in search of gossip.

The additional-from-auth toggle reminds me of the somewhat painful history
of glue handling in the shared .com / .net registry and DNS servers...

> 2) Try:
>   ping
>   ping
>   ping
>   None of these resolve when I try them, I wonder if that is because
>   implementations want CNAMEs to be 'host names', or if this a chain of
>   bugs.  Not practically very relevant, but still.

My recursive server gets upset because in noerror/nodata answers, the SOA
record appears in the answer section not the authority section.

I guess (without checking) the libc stub resolver is objecting to the
hostname syntax violations. But if I

        $ ping 'some'

it does actually ask the recursive server before giving up in disgust.

f.anthony.n.finch  <>
justice and liberty cannot be confined by national boundaries

DNSOP mailing list

Reply via email to