<div dir="ltr"><div>Hi Dave,<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 10, 2021 at 9:48 PM Dave Lawrence <<a href="mailto:tale@dd.org">tale@dd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Shreyas Zare writes:<br>
> And all of the 3 CNAME records are within the zone cut for the<br>
> received SOA. To make the resolver work with this issue, the<br>
> negative cache implementation had to be removed for CNAMEs with<br>
> NXDOMAIN case. <br>
<br>
To be clear, and this could well be something that community was not<br>
really clear on until after 2308 was written, just being "within the<br>
zone cut" is not sufficient to know that it is really in the zone even<br>
when you are at the same label depth.<br>
<br>
Imagine an auth server that has this configuration:<br>
<br>
$origin <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>.<br>
. ns <a href="http://ns1.example.com" rel="noreferrer" target="_blank">ns1.example.com</a>.<br>
. ns <a href="http://ns2.example.com" rel="noreferrer" target="_blank">ns2.example.com</a>.<br>
foo cname bar<br>
bar ns <a href="http://ns1.example.com" rel="noreferrer" target="_blank">ns1.example.com</a>.<br>
bar ns <a href="http://ns2.example.com" rel="noreferrer" target="_blank">ns2.example.com</a>.<br>
<br>
$origin <a href="http://bar.example.com" rel="noreferrer" target="_blank">bar.example.com</a>.<br>
. ns <a href="http://ns1.example.com" rel="noreferrer" target="_blank">ns1.example.com</a>.<br>
. ns <a href="http://ns2.example.com" rel="noreferrer" target="_blank">ns2.example.com</a>.<br>
. txt "record in child"<br>
<br>
A query to {ns1,ns2}.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> for txt could be legitimately replied<br>
to by the auth with just the foo cname bar record, and noerror as<br>
rcode. Can a resolver tell for sure whether that means the txt for<br>
<a href="http://bar.example.com" rel="noreferrer" target="_blank">bar.example.com</a> doesn't exist so that it could negative cache that?<br>
Just having the soa in additional wouldn't be a sufficient indication.<br>
<br>
Yes, I've acknowledged in a prior message that I didn't pick up on the<br>
auths in question giving an nxdomain for ds, which certainly muddies<br>
the water for the specific original example, which already had a tree<br>
configuration problem that would erroneously lead it to nxdomain even<br>
if it didn't have that problem with types. I'm just making clear that<br>
the resolver implementation needs handle the lookup of the cname<br>
target as distinct from whatever appears in the answer beyond the<br>
first cname.<br></blockquote><div><br></div><div>Thanks for the response. It helped me to improve my implementation.</div><div><br></div><div>Regards,<br clear="all"></div><div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><b>Shreyas Zare</b><br><a href="https://technitium.com" target="_blank">Technitium</a><br></div></div></div></div></div></div></div></div></div></div>
</div></div></div>