bert hubert <bert.hub...@powerdns.com> wrote: > > In writing this server and while consulting with some other implementors, I > for now have decided that in 2018 it makes no sense to: > > 1) chase CNAMEs that point to another zone > 2) look for glue outside of the zone > > Given that any resolver will ignore those answers anyhow. But I wonder, is > this ok, and do we already have words on if chasing CNAMEs outside of zones > is mandatory or not?
I'm slightly surprised that Evan and Mukund haven't mentioned this, but BIND 9.1 to 9.11 had additional-from-cache and additional-from-auth options which controlled this behaviour. (I turned them off on my servers years ago.) In 9.12 the options have been removed and authoritative answers never chase around in search of gossip. The additional-from-auth toggle reminds me of the somewhat painful history of glue handling in the shared .com / .net registry and DNS servers... > 2) Try: > ping goes-via-embedded-nul.tdns.powerdns.org > ping goes-via-embedded-space.tdns.powerdns.org. > ping goes-via-embedded-dot.tdns.powerdns.org. > > None of these resolve when I try them, I wonder if that is because > implementations want CNAMEs to be 'host names', or if this a chain of > bugs. Not practically very relevant, but still. My recursive server gets upset because in noerror/nodata answers, the SOA record appears in the answer section not the authority section. I guess (without checking) the libc stub resolver is objecting to the hostname syntax violations. But if I $ ping 'some host.tdns.powerdns.org' it does actually ask the recursive server before giving up in disgust. Weird. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ justice and liberty cannot be confined by national boundaries _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop