[DNSOP] RFC2308/6604 violation in NSD and BIND?

Fri, 26 Oct 2012 05:54:48 -0700 

Hello,

first of all, let me say that I could be wrong. Both NSD and BIND violating an
RFC in the same way does not sound like the most likely scenario to me.
However, I want to be sure.

For a CNAME pointing to a non-existing name in the same zone, BIND and NSD
return NOERROR, and do not include a SOA record in the AUTHORITY section.
According to my reading of RFC2308 section 1 (definition of QNAME) and section
2.1, they should return NXDOMAIN and include the SOA.

RFC6604 (which updates 2308) section 3 restates, according to my reading, the
same.

Given a zone example.com with the usual records (SOA, couple of NSes) at the
apex, plus these records:

ns1                     IN      A       192.168.1.1
ns2                     IN      A       192.168.1.2
nxd                     IN      CNAME   nxdomain.example.com.

BIND returns:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49021
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;nxd.example.com.               IN      ANY

;; ANSWER SECTION:
nxd.example.com.        120     IN      CNAME   nxdomain.example.com.

;; AUTHORITY SECTION:
example.com.            120     IN      NS      ns2.example.com.
example.com.            120     IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.        120     IN      A       192.168.1.1
ns2.example.com.        120     IN      A       192.168.1.2


NSD returns the same minus the ra flag.

PowerDNS, however, returns:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34897
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;nxd.example.com.               IN      A

;; ANSWER SECTION:
nxd.example.com.        120     IN      CNAME   nxdomain.example.com.

;; AUTHORITY SECTION:
example.com.            86400   IN      SOA     ns1.example.com. 
ahu.example.com. 2000081501 28800 7200 604800 86400

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Fri Oct 26 13:06:46 2012
;; MSG SIZE  rcvd: 111


The relevant difference here is NXDOMAIN instead of NOERROR, and the addition
of the SOA. PowerDNS not including the NS records plus their IPs is
inconsequential to the issue, as far as I can tell.

On a sidenote, NSD does include an NSEC3 denying existence of
nxdomain.example.com when DNSSEC+NSEC3 are enabled. I did not verify this for
BIND. PowerDNS currently does not generate this NSEC3 but this will be fixed
shortly.

Opinions welcome!

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to