[dns-operations] Knot and NSD handling names below DNAME incorrectly

Matthew Pounsett matt at conundrum.com
Sun Apr 3 05:28:37 UTC 2016

> On Apr 3, 2016, at 02:10, Jean-Yves Bisiaux <jyb at efficientip.com> wrote:
> Hi Arnand,
> RFC 6672 2.4: "Resource records MUST NOT exist at any subdomain of the owner of a DNAME RR."
> It's a miconfiguration to add subdomain of a.example.com if you use a DNAME on it.
> www.a.example.com must be set in b.exemple.com.
> In my opinion, XFER should reject www.a.example.com for all BIND, NSD and Knot.
> RFC 6672 2.4: "A server MAY refuse to load a zone that has data at a subdomain of a domain name owning a DNAME RR."
> Then let say Knot is right and strict, BIND and NSD are user friendly.

I'd say Knot (and NSD) is wrong, and not strict.  It shouldn't accept the record in a zone transfer and then refuse to load the zone at restart.  At best least that's a POLA violation.  At worst it a failure to conform with RFC 6672 § 2.4; if it does accept the zone transfer, it (and NSD) shouldn't return an A record for www.a.example.com, but should occlude it as BIND does.

BIND should probably exclude the occluded A record from an outgoing zone transfer, as well, in order to be conservative in what it sends.

More information about the dns-operations mailing list