[dns-operations] (co.)bw DNSSEC failure
David
opendak at shaw.ca
Thu Sep 22 05:30:01 UTC 2016
On 2016-09-20 3:05 PM, Peter van Dijk wrote:
> Hi Warren,
>
> On 20 Sep 2016, at 20:29, Warren Kumari wrote:
>
>> So, that explains *this* case, but we often seem to see other *weird*
>> issues... I'm trying to find the example (I have it squirreled away
>> somewhere), but one of my favorites was getting back NXDOMAIN
>> responses along with a full (complete and correct) answer. I never
>> figured out what I should do with that - do I use the answer or not?
>
> Hard to say without seeing it. I have seen a lot of this (typed from
> memory):
>
> $ dig a www.example.com
> ; .. .. ..
> ; status: NXDOMAIN
>
> ;; ANSWER SECTION:
> www.example.com. 600 IN CNAME www.example.org.
>
> ;; AUTHORITY SECTION
> example.org. .. IN SOA ..
>
>
> In this case, the auth thinks it is also authoritative for example.org
> and thus is able to return NXDOMAIN from there. NXDOMAIN applies to the
> QNAME -as defined by 2308- so given the misconfiguration of this auth,
> this is the right response. As a client, you use the CNAME, ignore the
> NXDOMAIN (as it’s out of bailiwick) and chase www.example.org yourself.
>
> Most misconfigurations of this type involve accidentally hosted root
> zones, btw.
>
And of all implementations MS Windows DNS is particularly strict about
this and will give up completely.
More information about the dns-operations
mailing list