Evan just pointed out a case due to a system test failure that is interesting.. it's not clear what the behavior should be in this case, so please discuss:
There's a nameserver that's authoritative for 2 zones example.org. and
example.com.
In the example.org. zone, foo.example.org. is CNAME to bar.example.com.
In the example.com. zone, the name bar.example.com. doesn't exist (NXDOMAIN).
A query for "foo.example.org./A" is answered by the nameserver. It adds
the foo.example.org. CNAME bar.example.com. in the answer section, and
then, following RFC 1034 4.3.2. 3.(a.), sets the QNAME to
"bar.example.com" and looks into the "example.com" zone for
"bar.example.com.". It is not found.
The question is: what is the expected reply RCODE for this?
1. Is it NOERROR (0) because there is an answer section with the CNAME?
2. Is it NXDOMAIN (3) because the CNAME target was not found?
3. Does it not matter if it is either?
It seems to me that it should be NOERROR(1) because RFC 1035 defines
NXDOMAIN as "this code signifies that the domain name referenced in the
query does not exist" which in my interpretation doesn't match the
modified QNAME when following the CNAME change.
Also, if a resolver caches the NXDOMAIN against the question section
name (foo.example.org.) , then a follow-up query to the resolver for
"foo.example.org./CNAME" will return an NXDOMAIN from cache.
It seems BIND currently returns NXDOMAIN in this case, and the change in
behavior between looking-into-other-zones and
not-looking-into-other-zones in the nameserver algorithm caused a system
test failure, hence the question.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
