[dns-operations] Any dreamhost DNS admins?

Mark Andrews marka at isc.org
Wed Feb 20 04:52:46 UTC 2019



> On 20 Feb 2019, at 3:39 pm, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Wed, Feb 20, 2019 at 02:53:13PM +1100, Mark Andrews wrote:
> 
>> On the face of this there is nothing wrong here.
>> ANCOUNT should match the count of CNAME/DNAME in the answer section.
>> If the final name doesn’t exist then NXDOMAIN is fine.
> 
> Agreed.  This is quite correct when the CNAME target is in the same zone.

Or if the server can determine it from another zone it serves or if it
recursed to construct the answer.

>>> On 20 Feb 2019, at 2:40 pm, Doug Barton <dougb at dougbarton.email> wrote:
>>> 
>>> Your name servers are returning a combination of NXDOMAIN and ANCOUNT >
>>> 0 when queried for an A record, but you have a CNAME present for the label.
>>> I haven't looked at the docs, but that is (at least) different from the
>>> other implementations I've tested so far.

Nothing wrong here on the face of it.  The CNAME target doesn’t exist and
you have proof of non-existance for it and the wildcard.

> Here's another (lightly obfuscated) example:
> 
>    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4952
>    ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
>    ;_25._tcp.mx2.<zone-apex>.        IN TLSA
>    ;
>    _25._tcp.mx2.<zone-apex>. CNAME   _dane-mx2.<zone-apex>.
>    _25._tcp.mx2.<zone-apex>. RRSIG   CNAME 8 5 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
>    ;
>    <zone-apex>.              SOA     ns1.<zone-apex>. hostmaster.<zone-apex>. 2019021606 10800 3600 604800 3600
>    <zone-apex>.              RRSIG   SOA 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
>    <zone-apex>.              NSEC    7966341.<zone-apex>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA
>    <zone-apex>.              RRSIG   NSEC 8 2 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
>    _dane-mail.<zone-apex>.   NSEC    _dmarc.<zone-apex>. RRSIG NSEC TLSA
>    _dane-mail.<zone-apex>.   RRSIG   NSEC 8 3 3600 20190228000000 20190207000000 6720 <zone-apex>. <signature>
> 
> -- 
> 	Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list