Hi there, I am seeking clarification on NS RRSet completeness in AUTHORITY section as we are tackling one particular RPL test from Unbound (iter_pcname.rpl).
Imagine a situation where parent (.net/.com NS) gives this glue: QUESTION <anything>.example.com. IN A ANSWER AUTHORITY example.com. IN NS ns.example.net. example.com. IN NS ns.example.com. ADDITIONAL ns.example.net. IN A 10.0.0.1 ns.example.com. IN A 10.0.0.2 ~~~ ns.example.net. gives QUESTION www.example.com. IN A ANSWER www.example.com. IN A 10.10.10.1 AUTHORITY example.com. IN NS ns.example.com. ADDITIONAL ns.example.com. IN A 10.0.0.2 ~~~ ns.example.com. just returns SERVFAIL ~~~ And resolver is asked to resolve: Step 1: www.example.com. -> OK, returns 10.10.10.1 Step 2: mail.example.com. -> SERVFAIL, because the NS RRset has been overwritten by www.example.com ANSWER data from AUTHORITY due RFC 2181 5.4.1 Ranking: > Data from the authority section of an authoritative answer, Thus only ns.example.com. is asked and it SERVFAILs. ~~~ In my understanding it should be ok to return SERVFAIL, because there's no way to honor the 5.4.1 Ranking and not fail. Or am I missing something really obvious? Ondrej -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.cz https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
