IETF Logo Mail Archive

Re: [dnsext] RFC 6604 Clarification

Dave Lawrence <tale@dd.org> Tue, 31 March 2015 19:20 UTC

Return-Path: <tale@dd.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7FA1ABD35 for <dnsext@ietfa.amsl.com>; Tue, 31 Mar 2015 12:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaK1kVCmuroD for <dnsext@ietfa.amsl.com>; Tue, 31 Mar 2015 12:20:19 -0700 (PDT)
Received: from gro.dd.org (gro.dd.org [207.136.192.136]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A671ABB19 for <dnsext@ietf.org>; Tue, 31 Mar 2015 12:20:18 -0700 (PDT)
Received: by gro.dd.org (Postfix, from userid 102) id 796C73F439; Tue, 31 Mar 2015 15:20:17 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21786.62321.220106.816987@gro.dd.org>
Date: Tue, 31 Mar 2015 15:20:17 -0400
From: Dave Lawrence <tale@dd.org>
To: Kumar Ashutosh <Kumar.Ashutosh@microsoft.com>
In-Reply-To: <275d23dc0a4e4cdc88238b1c47ea0c36@HKXPR30MB021.064d.mgd.msft.net>
References: <af1796c3bda84e99844715264afc67a5@HKXPR30MB021.064d.mgd.msft.net> <551A4B2B.9070406@nlnetlabs.nl> <FD8E7EA6-7B27-4442-8FCD-F54533DEB530@cnnic.cn> <275d23dc0a4e4cdc88238b1c47ea0c36@HKXPR30MB021.064d.mgd.msft.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/0gtpRO2eXLaZs_H_vYI4Nk8He2k>
Cc: "dnsext@ietf.org" <dnsext@ietf.org>
Subject: Re: [dnsext] RFC 6604 Clarification
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 19:20:20 -0000

Kumar Ashutosh writes:
> 1.	If the CNAME chain points to a Qname for which the auth server
> is non-authoritative (and recursion is disabled on the auth server.)
> The server in this case cannot get the response. A direct query for
> this Qname will result in SERV_FAIL. Should the auth server return
> SERV_FAIL in this case? Will resolvers respect answers with SERV_FAIL
> in RCODE and cache the partial response? 

It's best to just send NOERROR if you put in a CNAME, even if you
tried to chase it and got your own failure.

While I can't speak for every implementation, I know at least a couple
of major resolvers that will not even bother looking for anything else
beyond the CNAME, even if the target is apparently in the same zone.
By a strict reading of RFC 1034 and RFC 1035, the resolver will
restart the query with the target name by sending a new query to the
relevant authority.

Without going to check the code, I'm honestly not sure what they'd do
with status of SERVFAIL from an authority but an answer section that
started with a CNAME.   RFC 1034 section 5.3.3 puts checking for the
server failure status after checking for the CNAME, and that does
superficially seem to have a certain robustness to it, but I would not
be surprised to discover that some implementers made a different choice.

v2.23.0 | Report a Bug | By Email