[dns-operations] Knot and NSD handling names below DNAME incorrectly
Matthew Pounsett
matt at conundrum.com
Sun Apr 3 05:28:37 UTC 2016
> On Apr 3, 2016, at 02:10, Jean-Yves Bisiaux <jyb at efficientip.com> wrote:
>
> Hi Arnand,
>
> RFC 6672 2.4: "Resource records MUST NOT exist at any subdomain of the owner of a DNAME RR."
>
> It's a miconfiguration to add subdomain of a.example.com if you use a DNAME on it.
> www.a.example.com must be set in b.exemple.com.
>
> In my opinion, XFER should reject www.a.example.com for all BIND, NSD and Knot.
>
> RFC 6672 2.4: "A server MAY refuse to load a zone that has data at a subdomain of a domain name owning a DNAME RR."
>
> Then let say Knot is right and strict, BIND and NSD are user friendly.
I'd say Knot (and NSD) is wrong, and not strict. It shouldn't accept the record in a zone transfer and then refuse to load the zone at restart. At best least that's a POLA violation. At worst it a failure to conform with RFC 6672 § 2.4; if it does accept the zone transfer, it (and NSD) shouldn't return an A record for www.a.example.com, but should occlude it as BIND does.
BIND should probably exclude the occluded A record from an outgoing zone transfer, as well, in order to be conservative in what it sends.
More information about the dns-operations
mailing list