Re: [DNSOP] RCODE and CNAME chain

Jan Včelák <jv@fcelda.cz> Wed, 26 April 2017 22:33 UTC

Return-Path: <jv@fcelda.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5B3128DE7 for <dnsop@ietfa.amsl.com>; Wed, 26 Apr 2017 15:33:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XryQffaT2JMM for <dnsop@ietfa.amsl.com>; Wed, 26 Apr 2017 15:33:06 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B320F128B8D for <dnsop@ietf.org>; Wed, 26 Apr 2017 15:33:06 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id j59so9612207uad.0 for <dnsop@ietf.org>; Wed, 26 Apr 2017 15:33:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/ASZ9DU3EUcI1GgFxtTWxKxqNK256M4rBV7DX2WUau4=; b=LTc0GX1XfzZQjNRSzXSMb9zHRDdXm8H2lslp5XoVTUv/DfMMkowixKIcg/W7/x4wMy 4wcjP1VTto1Li7G6+knI4TbSyGl4YOKFgEs3okqYETNh4RMeiiMxF3k4cMS1lsODyD/c 54OCVEsxz3cYHfpBXecG+yzi8VRpfvjc/I8hM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/ASZ9DU3EUcI1GgFxtTWxKxqNK256M4rBV7DX2WUau4=; b=seEUfYzhgmebO2NvO+bNaNOLwjHlwEqvFXdFADO0Am3KWxsKkge368f+kyOv8h/pJb n5yiT94TOFZDo92jjpef0r6YxvdVSY7+0hSkUuVLU5DpwvCfpSTCxIQjEHHZ8Rwr5WRP 6pdVdWsQUNaFcv0WnrYl0TDmb/IorsrqkHWbBFVv6QGC6Tur/DZEqgoviE81VKRkon3z z3CZ3ZBU2szpZLdFxU1KRT+k6RFcS/Ym1dTL5bKTkIU5PAvf93ItGPILJRBuReiodjc3 i3Xk/yb8QEo4djw6SNK5qxM3dZdOWl+MQKHBXsF+sgXtOqHQwzsnWvamWKM0tFCHYyo8 xqdw==
X-Gm-Message-State: AN3rC/5PSEerdUFaMUGG8Yuc3+yH5qIAKU5fuDd1eX/AHvPslqb5SLWU CJPpGJdC5klN2qxXmTrxEjkpC/r1Tz8n
X-Received: by 10.176.24.223 with SMTP id d31mr1261073uah.140.1493245985448; Wed, 26 Apr 2017 15:33:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.20.69 with HTTP; Wed, 26 Apr 2017 15:32:44 -0700 (PDT)
X-Originating-IP: [89.103.145.110]
In-Reply-To: <73DD364E-12F0-4367-964D-6C18E37BC12B@powerdns.com>
References: <20170405054338.GA15831@jurassic> <73DD364E-12F0-4367-964D-6C18E37BC12B@powerdns.com>
From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <jv@fcelda.cz>
Date: Thu, 27 Apr 2017 00:32:44 +0200
Message-ID: <CAM1xaJ8OOkxw41DzTOBV6yXVmtJVnKGu=4xsP3FWyQGFt36H1g@mail.gmail.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>, muks@isc.org
Cc: dnsop@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UDdvtYSsgJZlQFJ7CyCweXOtfW8>
Subject: Re: [DNSOP] RCODE and CNAME chain
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 22:33:09 -0000

Hello,

sorry for resurrecting this thread, but this really caught my attention.

On Wed, Apr 5, 2017 at 9:03 AM, Peter van Dijk wrote:
> On 5 Apr 2017, at 7:43, Mukund Sivaraman wrote:
>> Evan just pointed out a case due to a system test failure that is
>> interesting.. it's not clear what the behavior should be in this case,
>> so please discuss:
>>
>> There's a nameserver that's authoritative for 2 zones example.org. and
>> example.com.
>>
>> In the example.org. zone, foo.example.org. is CNAME to bar.example.com.
>>
>> In the example.com. zone, the name bar.example.com. doesn't exist (NXDOMAIN).
>>
>> A query for "foo.example.org./A" is answered by the nameserver. It adds
>> the foo.example.org. CNAME bar.example.com. in the answer section, and
>> then, following RFC 1034 4.3.2. 3.(a.), sets the QNAME to
>> "bar.example.com" and looks into the "example.com" zone for
>> "bar.example.com.". It is not found.
>>
>> The question is: what is the expected reply RCODE for this?
>>
>> 1. Is it NOERROR (0) because there is an answer section with the CNAME?
>>
>> 2. Is it NXDOMAIN (3) because the CNAME target was not found?
>
> NXDOMAIN is correct. The text on this on 103x is a bit weak but 2308 2.1 clarifies this.
>

I actually think NOERROR is correct. The target of the CNAME
(bar.example.com) is not in the bailiwick of the zone (example.org).
So the authoritative server should stop processing the CNAME chain at
this point and send the response with RCODE=NOERROR.

Or can we at least agree that both RCODEs are correct? :-)

Jan