[dns-operations] Knot and NSD handling names below DNAME incorrectly

Anand Buddhdev anandb at ripe.net
Sun Apr 3 03:42:20 UTC 2016

We have recently had the opportunity to observe the behaviour of BIND,
Knot and NSD with names below a DNAME. A slave zone we host had the
following in it:

a.example.com.  DNAME  b.example.com.

This zone's master then fed us an XFR that added:

www.a.example.com  A

BIND accepted the XFR, but occluded this name. When queried for
www.a.example.com/A, it returned:

a.example.com.     172800  IN  DNAME  b.example.com.
www.a.example.com  172800  IN  CNAME  www.b.example.com.

Knot and NSD also accepted the transfer, but when queried, returned this:

www.a.example.com  172800  IN  A

However, Knot exhibited another issue. When it was restarted, it refused
to load the last-saved copy of the zone from disk, with the complaint
that there was a name below the DNAME. There's a semantic check in its
code that prevents it from loading such a zone, but this check
apparently isn't done when receiving an XFR.

So our DNS cluster, which runs all three name servers, is giving out
three different responses for this query.

We have bug reports open with the Knot and NSD developers, and we've
informed the zone's owner to fix this.


More information about the dns-operations mailing list