[DNSOP] Clarification: Complete or not-complete RRSets in AUTHORITY section? (non-DNSSEC)

Ondřej Surý <ondrej.sury@nic.cz> Mon, 10 April 2017 12:29 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B5E401294B8 for <dnsop@ietfa.amsl.com>; Mon, 10 Apr 2017 05:29:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tMH8zZQgpd5i for <dnsop@ietfa.amsl.com>; Mon, 10 Apr 2017 05:29:44 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 369F91294B2 for <dnsop@ietf.org>; Mon, 10 Apr 2017 05:29:44 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.labs.nic.cz []) by mail.nic.cz (Postfix) with ESMTP id 2894D611EC; Mon, 10 Apr 2017 14:29:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1491827382; bh=RE/MYxUj7tLAHOow0uHlTtwuVosqqBHyaOlbolC0IZ8=; h=Date:From:To; b=FhSHMlY1EaxSEqRcXkd9Ic0QM7C6MsRyVE33HtdDJ8FnrYdRPuXSvaEoR6r2vG3C2 NpJ7H6HQFvSKheUu1PwNHR8hBkQeMJKFAqMTiLq6Ew+f5xBZ6UsUj35PcOLHZ6dJz9 dikWbCHcGKRPf2TSVlDQzLD4Zoy5No3cEZOQxhkU=
Date: Mon, 10 Apr 2017 14:29:42 +0200
From: Ondřej Surý <ondrej.sury@nic.cz>
To: dnsop <dnsop@ietf.org>
Cc: knot-dns@labs.nic.cz
Message-ID: <951801333.6319.1491827382096.JavaMail.zimbra@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: []
X-Mailer: Zimbra 8.7.0_GA_1659 (ZimbraWebClient - SAF10 (Linux)/8.7.0_GA_1659)
Thread-Index: YQtnmscmlVIV2onJYoHYurn4oA05NQ==
Thread-Topic: Clarification: Complete or not-complete RRSets in AUTHORITY section? (non-DNSSEC)
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CYjPDlwtpxzdQV_qycB-WfnW6CI>
Subject: [DNSOP] Clarification: Complete or not-complete RRSets in AUTHORITY section? (non-DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 12:29:46 -0000

Hi there,

I am seeking clarification on NS RRSet completeness
in AUTHORITY section as we are tackling one particular
RPL test from Unbound (iter_pcname.rpl).

Imagine a situation where parent (.net/.com NS) gives this glue:

<anything>.example.com. IN A
example.com. IN NS ns.example.net.
example.com. IN NS ns.example.com.
ns.example.net. IN A
ns.example.com. IN A


ns.example.net. gives

www.example.com. IN A
www.example.com. IN A
example.com. IN NS ns.example.com.
ns.example.com. IN A


ns.example.com. just returns SERVFAIL


And resolver is asked to resolve:

Step 1:
www.example.com. -> OK, returns

Step 2:
mail.example.com. -> SERVFAIL, because the NS RRset has been
overwritten by www.example.com ANSWER data from AUTHORITY
due RFC 2181 5.4.1 Ranking:

> Data from the authority section of an authoritative answer,

Thus only ns.example.com. is asked and it SERVFAILs.


In my understanding it should be ok to return SERVFAIL,
because there's no way to honor the 5.4.1 Ranking and
not fail.  Or am I missing something really obvious?

 Ondřej Surý -- Technical Fellow
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury@nic.cz    https://nic.cz/