Heho, I am currently doing some measurement work related to DNS delegation. In this work, we initially decided to exclude names listed in NS that only contain a CNAME, following RFC2181 Sec. 10.3., which--as far as I can see--has not been updated, stating:
10.3. MX and NS records The domain name used as the value of a NS resource record, or part of the value of a MX resource record must not be an alias. Not only is the specification clear on this point, but using an alias in either of these positions neither works as well as might be hoped, nor well fulfills the ambition that may have led to this approach. This domain name must have as its value one or more address records. Currently those will be A records, however in the future other record types giving addressing information may be acceptable. It can also have other RRs, but never a CNAME RR. The reviewers now claimed that this is, indeed, no longer true, which made me setup a test-case; Indeed, I find that even though a default unbound 1.15.0 does _not_ resolve a CNAME based delegation, major other operators (q1/q8, my local ISP) indeed _do_ resolve these names. (Testcase below.) I also ran some quick atlas measurements, using probe resolvers, once with resolve-on-probe and once with defaults: Resolve on probe: https://atlas.ripe.net/frames/measurements/44061850/ data/RIPE-Atlas-measurement-44061850.json resolving: 263 not resolving: 180 Default: https://atlas.ripe.net/frames/measurements/44061849/ data/RIPE-Atlas-measurement-44061849.json resolving: 264 not resolving: 179 In both cases only counting unique configured resolvers, i.e., +- some noise for 1918/::1 et al. Is there something I missed/should CNAME in NS be considered valid now? I will take a look at the prevalence of CNAME in NS (but crunching the data takes some more time). However, it seems odd that RFC2181 and operational practice seem to diverge here. With best regards, Tobias --- Test case: RR to resolve (A/AAAA): www.dns-test-cname.wybt.net, which is: www.dns-test-cname.wybt.net. IN A 195.191.197.4 www.dns-test-cname.wybt.net. IN AAAA 2a06:d1c0:dead:1::4 dns-test-cname.wybt.net. IN NS authns.dns-test.wybt.net. dns-test-cname.wybt.net. IN CNAME authns.dns-test2.wybt.net. authns.dns-test2.wybt.net. IN A 195.191.197.27 authns.dns-test2.wybt.net. IN AAAA 2a06:d1c0:dead:1::27 With: dns-auth-test.wybt.net. IN A 195.191.197.25 dns-auth-test.wybt.net. IN AAAA 2a06:d1c0:dead:1::25 dns-auth-test2.wybt.net. IN A 195.191.197.25 dns-auth-test2.wybt.net. IN AAAA 2a06:d1c0:dead:1::25 dns-auth-test3.wybt.net. IN A 195.191.197.25 dns-auth-test3.wybt.net. IN AAAA 2a06:d1c0:dead:1::25 wybt.net, dns-test.wybt.net and dns-test2.wybt.net, dns-test-cname.wybt.net are all on different machines: wybt.net. IN NS robotns2.second-ns.de. wybt.net. IN NS robotns3.second-ns.com. wybt.net. IN NS dns.aperture-labs.org. wybt.net. IN NS dns2.aperture-labs.org. wybt.net. IN NS ns1.first-ns.de. dns-test.wybt.net. IN NS dns-auth-test.wybt.net. dns-test2.wybt.net. IN NS dns-auth-test2.wybt.net. dns-test-cname.wybt.net. IN NS authns.dns-test.wybt.net. dns-test-cname.wybt.net. IN NS authns.dns-test.wybt.net. dns-test-cname.wybt.net. IN CNAME authns.dns-test2.wybt.net. authns.dns-test2.wybt.net. IN A 195.191.197.27 authns.dns-test2.wybt.net. IN AAAA 2a06:d1c0:dead:1::27 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
