[dns-operations] Knot and NSD handling names below DNAME incorrectly

Mark Andrews marka at isc.org
Sun Apr 3 11:09:26 UTC 2016


In message <77125219-EABC-4F2E-9421-BE1C06B65DFE at conundrum.com>, Matthew Pounsett writes:
>
> > On Apr 3, 2016, at 02:10, Jean-Yves Bisiaux <jyb at efficientip.com> wrote:
> >
> > Hi Arnand,
> >
> > RFC 6672 2.4: "Resource records MUST NOT exist at any subdomain of the
> owner of a DNAME RR."
> >
> > It's a miconfiguration to add subdomain of a.example.com if you use a
> DNAME on it.
> > www.a.example.com must be set in b.exemple.com.
> >
> > In my opinion, XFER should reject www.a.example.com for all BIND, NSD
> and Knot.
> >
> > RFC 6672 2.4: "A server MAY refuse to load a zone that has data at a
> subdomain of a domain name owning a DNAME RR."
> >
> > Then let say Knot is right and strict, BIND and NSD are user friendly.
>
> I'd say Knot (and NSD) is wrong, and not strict.  It shouldn't accept the
> record in a zone transfer and then refuse to load the zone at restart.
> At best least that's a POLA violation.  At worst it a failure to conform
> with RFC 6672  2.4; if it does accept the zone transfer, it (and NSD)
> shouldn't return an A record for www.a.example.com, but should occlude it
> as BIND does.
>
> BIND should probably exclude the occluded A record from an outgoing zone
> transfer, as well, in order to be conservative in what it sends.

No. If you do that you break what is returned if the DNAME is removed via
IXFR.  Slaves need to transmit the entire zone content as learnt.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list