[dns-operations] Knot and NSD handling names below DNAME incorrectly
Anand Buddhdev
anandb at ripe.net
Sun Apr 3 03:42:20 UTC 2016
We have recently had the opportunity to observe the behaviour of BIND,
Knot and NSD with names below a DNAME. A slave zone we host had the
following in it:
a.example.com. DNAME b.example.com.
This zone's master then fed us an XFR that added:
www.a.example.com A 1.2.3.4
BIND accepted the XFR, but occluded this name. When queried for
www.a.example.com/A, it returned:
;; ANSWER SECTION:
a.example.com. 172800 IN DNAME b.example.com.
www.a.example.com 172800 IN CNAME www.b.example.com.
Knot and NSD also accepted the transfer, but when queried, returned this:
;; ANSWER SECTION:
www.a.example.com 172800 IN A 1.2.3.4
However, Knot exhibited another issue. When it was restarted, it refused
to load the last-saved copy of the zone from disk, with the complaint
that there was a name below the DNAME. There's a semantic check in its
code that prevents it from loading such a zone, but this check
apparently isn't done when receiving an XFR.
So our DNS cluster, which runs all three name servers, is giving out
three different responses for this query.
We have bug reports open with the Knot and NSD developers, and we've
informed the zone's owner to fix this.
Regards,
Anand
More information about the dns-operations
mailing list