<div dir="ltr"><div>Hi,</div><div><br></div><div>Thanks everyone for the useful responses.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Aug 8, 2021 at 9:08 AM Dave Lawrence <<a href="mailto:tale@dd.org">tale@dd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I agree with Viktor that the parent should have delegation records for<br>
the same-server child, but note that response with the rcode NXDOMAIN<br>
for a CNAME chain shouldn't be causing a problem for a modern<br>
resolver. A resolver should restart query processing with the target<br>
of each CNAME in the chain, and ultimately come to its own conclusion<br>
about whether the target at the end of the chain exists.<br>
<br>
I suspect that this issue existed for a while and the lack of<br>
screaming about it hints to me that for the vast majority of clients<br>
things continued to work fine. FWIW, from my network vantage point,<br>
when querying <a href="http://edns126.ultradns.com" rel="noreferrer" target="_blank">edns126.ultradns.com</a> for type A directly I get a<br>
response that has rcode NOERROR and terminates the chain with an<br>
address record.<br>
<br>
Shreyas, did you encounter a production resolver that was having a<br>
problem with chain/NXDOMAIN response?<br></blockquote><div><br></div><div>Yes, this was an issue in the code I have in production but has been mitigated. The resolver I have does restart for the last CNAME regardless of the RCODE but, the negative cache implementation based on RFC2308 and RFC8020 caused the NXDOMAIN response to get cached causing the issue. <br></div><div> </div><div>Regards,<br clear="all"></div><div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><b>Shreyas Zare</b><br><a href="https://technitium.com" target="_blank">Technitium</a><br></div></div></div></div></div></div></div></div></div></div>
</div></div></div>