Closed kjette closed 8 years ago
Can you show your zone contents please?
Have received the zone in private. I don't see any _tcp
in there, what am I missing? The response from UltraDNS also suggests there is no _tcp
empty non-terminal.
Yes, sorry, indeed there is no empty non-terminal, from the secondary UltraDNS servers the unresolvable CNAME is accompanied by a proof of non-existence of _tcp. I've seen too many cases of empty non-terminal issues, and in this case jumped to conclusions too quickly.
I still think that the authoritative server needs to just return the CNAME data it has (without chasing the CNAME) when the target of the CNAME does not exist or loops. This is what the secondaries to, and the primary should act the same.
Hashes:
q6d7nlmm7hj224qvb6lpmg6cpln6dso0. doesnotexist.dbdo.se
ioibg7vnme250daecms1319sphul4jmu. *.dbdo.se
vg23qt8s9k87afurdic9pfp2cudf886m. dbdo.se
Answers:
@ns6.binero.se.[156.154.67.59]
; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a doesnotexist.dbdo.se @156.154.67.59
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25267
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;doesnotexist.dbdo.se. IN A
doesnotexist.dbdo.se. CNAME doesnotexist.dbdo.se.
doesnotexist.dbdo.se. RRSIG CNAME 8 2 7200 20160825000000 20160804000000 34296 dbdo.se.
ioibg7vnme250daecms1319sphul4jmu.dbdo.se. NSEC3 1 0 1 AB VG23QT8S9K87AFURDIC9PFP2CUDF886M CNAME RRSIG
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. NSEC3 1 0 1 AB 3F8EGOT7HUPFFDVJ3S9EV18VCK5C9KNJ A NS SOA RRSIG DNSKEY NSEC3PARAM
ioibg7vnme250daecms1319sphul4jmu.dbdo.se. RRSIG NSEC3 8 3 3600 20160825000000 20160804000000 34296 dbdo.se.
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. RRSIG NSEC3 8 3 3600 20160825000000 20160804000000 34296 dbdo.se.
@ns7.binero.se.[195.74.39.30]
; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a doesnotexist.dbdo.se @195.74.39.30
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6939
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;doesnotexist.dbdo.se. IN A
Can you open a fresh bug about the CNAME chasing, without all the baggage this issue has accumulated? I'll close this one.
Reporter: ietf-dane@dukhovni
Problem:
Testing this on a different name server that is powered by UltraDNS:
See also: http://dnsviz.net/d/_25._tcp.dbdo.se/dnssec/
The wildcard CNAME at the zone apex is not pertinent to queries below the empty non-terminal "_tcp.dbdo.se".
Following output from the log:
This matches my observations, the zone apex has an invalid wildcard CNAME. However, that CNAME is not pertinent to the query at hand, since "_tcp" is a non-empty terminal. So attempts to resolve that CNAME should not happen. Also SERVFAIL is questionable here, even if the CNAME were relevant, the authoritative server should just return the CNAME record in that case.