[dns-operations] DNAME, authoritative name servers, and the return code for non-existing domains
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue May 28 17:10:47 UTC 2019
On Tue, May 28, 2019 at 01:28:34PM +0200, Stephane Bortzmeyer wrote:
> If you look at the TLD xn--kprw13d, you'll see it's an alias (through
> DNAME) for the TLD xn--kpry57d. If you query the authoritative name
> servers of xn--kprw13d for a *non*-existing subdomain of the TLD, you
> will see that all of them reply NXDOMAIN *except* anytld.apnic.net and
> h.dns.tw. They return a NOERROR (and with the AA bit).
>
> RFC 6604 clearly says that the return code must be the last of the
> chain of aliases, here NXDOMAIN (since the same name servers are
> authoritative for the alias and the canonical name). It seems to me
> anytld.apnic.net and h.dns.tw violate RFC 6604. Before I report it to
> their sysadmins, I would like to get some advice: are they right or
> wrong?
The answer from anytld.apnic.net is correct, there is no obligation
for the authoritative server to recurse into additional authoritative
zones that it hosts, beyond the zone queried. The RRSIG shows that
that the answer is soley relative to the initial DNAME domain.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57313
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 797e2e35c8ddeb35b4d83bb35ced67d71463438b886d1c2d (good)
;; QUESTION SECTION:
;foobarxyzzy.xn--kprw13d. IN SOA
;; ANSWER SECTION:
xn--kprw13d. 3600 IN DNAME xn--kpry57d.
xn--kprw13d. 3600 IN RRSIG DNAME 8 1 ...
foobarxyzzy.xn--kprw13d. 3600 IN CNAME foobarxyzzy.xn--kpry57d.
Similarly, the answer from d.dns.tw. is also correct, returning
RRSIGS and NSEC3 records from the target domain:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21263
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foobarxyzzy.xn--kprw13d. IN SOA
;; ANSWER SECTION:
xn--kprw13d. DNAME xn--kpry57d.
xn--kprw13d. RRSIG DNAME 8 1 3600 20190627010001 20190528010001 25689 xn--kprw13d. ...
foobarxyzzy.xn--kprw13d. CNAME foobarxyzzy.xn--kpry57d.
;; AUTHORITY SECTION:
xn--kpry57d. SOA d.dns.tw. snw.twnic.net.tw. 2010240127 3600 900 1296000 900
xn--kpry57d. RRSIG SOA 8 1 900 20190627120008 20190528120008 5964 xn--kpry57d. ...
PME0HQIHLS33NNS23RL6JE8TBV9U5K1G.xn--kpry57d. NSEC3 1 1 10 ...
PME0HQIHLS33NNS23RL6JE8TBV9U5K1G.xn--kpry57d. RRSIG NSEC3 8 2 900 20190627120008 20190528120008 5964 xn--kpry57d. ...
UUMDUAIM376BHP82Q72FF9F6H8JP3IDD.xn--kpry57d. NSEC3 1 1 10 ...
UUMDUAIM376BHP82Q72FF9F6H8JP3IDD.xn--kpry57d. RRSIG NSEC3 8 2 900 20190627120008 20190528120008 5964 xn--kpry57d. ...
C95MGCETLDDJP4JJA93GD0GHU15RL0U0.xn--kpry57d. NSEC3 1 1 10 ...
C95MGCETLDDJP4JJA93GD0GHU15RL0U0.xn--kpry57d. RRSIG NSEC3 8 2 900 20190627120008 20190528120008 5964 xn--kpry57d. ...
The recursion into the target of the DNAME is not mandatory.
Nameservers that store all data in memory can easily recurse into
target authoritative zones, while those that query databases can
reasonably return just the immediately available answer.
--
Viktor.
More information about the dns-operations
mailing list