[dns-operations] Any dreamhost DNS admins?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Feb 20 04:39:44 UTC 2019
On Wed, Feb 20, 2019 at 02:53:13PM +1100, Mark Andrews wrote:
> On the face of this there is nothing wrong here.
> ANCOUNT should match the count of CNAME/DNAME in the answer section.
> If the final name doesn’t exist then NXDOMAIN is fine.
Agreed. This is quite correct when the CNAME target is in the same zone.
> > On 20 Feb 2019, at 2:40 pm, Doug Barton <dougb at dougbarton.email> wrote:
> >
> > Your name servers are returning a combination of NXDOMAIN and ANCOUNT >
> > 0 when queried for an A record, but you have a CNAME present for the label.
> > I haven't looked at the docs, but that is (at least) different from the
> > other implementations I've tested so far.
Here's another (lightly obfuscated) example:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4952
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;_25._tcp.mx2.<zone-apex>. IN TLSA
;
_25._tcp.mx2.<zone-apex>. CNAME _dane-mx2.<zone-apex>.
_25._tcp.mx2.<zone-apex>. RRSIG CNAME 8 5 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
;
<zone-apex>. SOA ns1.<zone-apex>. hostmaster.<zone-apex>. 2019021606 10800 3600 604800 3600
<zone-apex>. RRSIG SOA 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
<zone-apex>. NSEC 7966341.<zone-apex>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA
<zone-apex>. RRSIG NSEC 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
_dane-mail.<zone-apex>. NSEC _dmarc.<zone-apex>. RRSIG NSEC TLSA
_dane-mail.<zone-apex>. RRSIG NSEC 8 3 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
--
Viktor.
More information about the dns-operations
mailing list