[dns-operations] Any dreamhost DNS admins?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Feb 20 04:39:44 UTC 2019


On Wed, Feb 20, 2019 at 02:53:13PM +1100, Mark Andrews wrote:

> On the face of this there is nothing wrong here.
> ANCOUNT should match the count of CNAME/DNAME in the answer section.
> If the final name doesn’t exist then NXDOMAIN is fine.

Agreed.  This is quite correct when the CNAME target is in the same zone.

> > On 20 Feb 2019, at 2:40 pm, Doug Barton <dougb at dougbarton.email> wrote:
> > 
> > Your name servers are returning a combination of NXDOMAIN and ANCOUNT >
> > 0 when queried for an A record, but you have a CNAME present for the label.
> > I haven't looked at the docs, but that is (at least) different from the
> > other implementations I've tested so far.

Here's another (lightly obfuscated) example:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4952
    ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
    ;_25._tcp.mx2.<zone-apex>.        IN TLSA
    ;
    _25._tcp.mx2.<zone-apex>. CNAME   _dane-mx2.<zone-apex>.
    _25._tcp.mx2.<zone-apex>. RRSIG   CNAME 8 5 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
    ;
    <zone-apex>.              SOA     ns1.<zone-apex>. hostmaster.<zone-apex>. 2019021606 10800 3600 604800 3600
    <zone-apex>.              RRSIG   SOA 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
    <zone-apex>.              NSEC    7966341.<zone-apex>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA
    <zone-apex>.              RRSIG   NSEC 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
    _dane-mail.<zone-apex>.   NSEC    _dmarc.<zone-apex>. RRSIG NSEC TLSA
    _dane-mail.<zone-apex>.   RRSIG   NSEC 8 3 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>

-- 
	Viktor.


More information about the dns-operations mailing list