[dns-operations] CNAME into a delegated zone goes wrong.... any ideas?

Brett Frankenberger rbf+dns-operations at panix.com
Mon Jun 13 01:33:25 UTC 2011 

On Sun, Jun 12, 2011 at 11:31:02PM +0100, Steven Carr wrote:
> On 12 June 2011 23:15, Jeroen Massar <jeroen at unfix.org> wrote:
> >
> > Yep, and I assume that that is because the google DNS servers are
> > non-BIND, as with unbound recursors it also works, but if I use anything
> > which builds upon BIND-based tech it fails...
> 
> Because there is an error in the zone configuration, the logs on my
> BIND server show:
> 
> 12-Jun-2011 23:23:07.419 DNS format error from 62.220.146.194#53
> resolving ntp.us.sixxs.net/A for client 172.16.0.20#62548: multiple NS
> RRsets in authority section
> 12-Jun-2011 23:23:07.502 DNS format error from 94.142.245.3#53
> resolving ntp.us.sixxs.net/A for client 172.16.0.20#62548: multiple NS
> RRsets in authority section
> 
> The authority records that come back from a "dig @ns.paphosting.net
> ntp.us.sixxs.net" show...
> ;; AUTHORITY SECTION:
> ntp.sixxs.net.		3600	IN	NS	ns1.sixxs.net.
> ntp.sixxs.net.		3600	IN	NS	ns2.sixxs.net.
> ntp.sixxs.net.		3600	IN	NS	ns3.sixxs.net.
> sixxs.net.		3600	IN	NS	ns.paphosting.net.
> sixxs.net.		3600	IN	NS	ns.paphosting.nl.
> sixxs.net.		3600	IN	NS	ns.paphosting.eu.
> 
> ...therefore BIND doesn't know who to query and drops it - the
> sixxs.net. servers should not be being returned in the Authority,
> there is no real need to return them at all, but if it does then they
> should be in the Additional section.

Is that clear from any RFC?  If ns.paphosting.net is queried for CNAME
records at nto.us.sixxs.net, it properly returns the CNAME record, and
includes only the sixxs.net records in the authority section.  

If the query is for AAAA records, it appears to add the CNAME record to
the answer section, add the sixxs.net records to the authority section,
then restart the query looking for the target of the CNAME record
(us.ntp.sixxs.net).  Since it's not authoritative for the ntp.sixxs.net
zone and isn't doing a recursive query, it can't answer that, but it is
authoritative for the parent of that zone, so it adds ntp.sixxs.net to
the authority section, reflecting the delegation of ntp.sixxs.net.

Is there any RFC that makes it clear what should be done in this case?
There seems to be three choices -- what is shown above (include both
RRsets), include only sixxs.net NS RRSet to reflect the authority for
the CNAME record that was returned (causing the resolver to then query
for the target of the CNAME record to get the delegation), or include
only the ntp.sixxs.net RRset for the delgation. 

     -- Brett

More information about the dns-operations mailing list