On 4/5/17, 01:43, "DNSOP on behalf of Mukund Sivaraman" <dnsop-boun...@ietf.org 
on behalf of m...@isc.org> wrote:

>It seems BIND currently returns NXDOMAIN in this case, and the change in
>behavior between looking-into-other-zones and
>not-looking-into-other-zones in the nameserver algorithm caused a system
>test failure, hence the question.

I don't think there is one right answer.  There may be a more efficient answer 
(in terms of some metric).  The goal of the RFCs was interoperability, keep 
that in mind.

You allude above to an implementation changing its behavior (answering from all 
available data vs. sticking to one zone).  This is not something that is 
explicitly dealt with in the original RFCs, perhaps in later ones.  Both 
choices have merit, have downsides, still the two are interoperable.  As far as 
the protocol matters, either is a valid choice, and one that influences whether 
the query in question results in NOERROR/CNAME chain or NXDOMAIN.

In this case, I think you don't need to worry about the querier.  Rules seem to 
be explicit about caching responses here.

If anything, make sure your test script is accurate.  (Back in the day of 
DNSSEC protocol/code development, 1 out of 3 times DNSSEC had a protocol bug, 1 
out of 3 times it was a software bug, and 1 out of 3 times everything was right 
but the tester - me - was expecting the wrong result.)

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to