In message <20170405054338.GA15831@jurassic>, Mukund Sivaraman writes: > Evan just pointed out a case due to a system test failure that is > interesting.. it's not clear what the behavior should be in this case, > so please discuss: > > There's a nameserver that's authoritative for 2 zones example.org. and > example.com. > > In the example.org. zone, foo.example.org. is CNAME to bar.example.com. > > In the example.com. zone, the name bar.example.com. doesn't exist (NXDOMAIN). > > A query for "foo.example.org./A" is answered by the nameserver. It adds > the foo.example.org. CNAME bar.example.com. in the answer section, and > then, following RFC 1034 4.3.2. 3.(a.), sets the QNAME to > "bar.example.com" and looks into the "example.com" zone for > "bar.example.com.". It is not found. > > The question is: what is the expected reply RCODE for this? > > 1. Is it NOERROR (0) because there is an answer section with the CNAME? > > 2. Is it NXDOMAIN (3) because the CNAME target was not found? > > 3. Does it not matter if it is either? > > It seems to me that it should be NOERROR(1) because RFC 1035 defines > NXDOMAIN as "this code signifies that the domain name referenced in the > query does not exist" which in my interpretation doesn't match the > modified QNAME when following the CNAME change.
No. The RCODE references the end of the CNAME/DNAME chain. > Also, if a resolver caches the NXDOMAIN against the question section > name (foo.example.org.) , then a follow-up query to the resolver for > "foo.example.org./CNAME" will return an NXDOMAIN from cache. Then the resolver is broken. > It seems BIND currently returns NXDOMAIN in this case, and the change in > behavior between looking-into-other-zones and > not-looking-into-other-zones in the nameserver algorithm caused a system > test failure, hence the question. > > Mukund If the qtype is CNAME or ANY the answer is NOERROR as the CNAME is not followed. If the qtype isn't CNAME or ANY the answer is NXDOMAIN as the CNAME is followed. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
