<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 8 Feb 2021, at 14:00, Anthony Lieuallen via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" class="">dns-operations@dns-oarc.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br class=""><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Anthony Lieuallen <<a href="mailto:alieuall@google.com" class="">alieuall@google.com</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">NXDOMAIN status, with answers?</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">8 February 2021 at 14:00:49 GMT<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><a href="mailto:dns-operations@dns-oarc.net" class="">dns-operations@dns-oarc.net</a><br class=""></span></div><br class=""><br class=""><div dir="ltr" class="">An interesting corner case has recently been brought to our attention, and I'm hoping for some additional viewpoints to help me understand how best to handle it.<div class=""><br class=""></div><div class="">An operator reported problems with our recursive resolver, after recently enabling DNSSEC. The cause seems to be that the authoritative server is returning an answer (a CNAME, in case it matters) but with NXDOMAIN status. When we see NXDOMAIN we abort our recursive resolving behavior. Later we get to the DNSSEC validation phase, but because we stopped at the NXDOMAIN we never got the DNSKEYs for the zone, and we thus fail to validate, and return SERVFAIL.</div><div class=""><br class=""></div><div class="">Other resolvers seem to be handling this domain successfully, so I'm wondering:</div><div class=""><br class=""></div><div class="">* Is this (NXDOMAIN status, but CNAME and RRSIG in the answer) valid, per the spec?</div></div></div></blockquote><div><br class=""></div><div>Yes. The canonical name (the right-hand side of the CNAME, the name in the rdata) does not exist. That is, the alias points to something that doesn’t exist. Is the canonical name in the same zone as the owner name of the CNAME record?</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="">* Either way, how should a recursive handle such an authoritative response?</div></div></div></blockquote><div><br class=""></div><div>This is a valid, albeit rare, terminating response. You can not trust the RCODE in the response. You have proof of existence of the CNAME (it has an RRSIG), and there may be a set of NSEC(or NSEC3) records proving absence of the canonical name (provided the canonical name should be in the same zone). If the latter (proof of absence) is not there, you should restart the query with the canonical name.</div><div><br class=""></div><div>Hope this helps</div><div><br class=""></div><div>Roy</div><br class=""><blockquote type="cite" class=""><div class="">
<br class=""><br class="">_______________________________________________<br class="">dns-operations mailing list<br class=""><a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a><br class=""><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br class=""></div></blockquote></div><br class=""></body></html>