Weird DNS behaviour resolution issues when more labels are present in a zone

Prasanna Mathivanan (pmathiva) pmathiva at cisco.com
Wed Dec 16 19:51:49 UTC 2020


Hi Tale,

Thanks for explaining 
We can close this query now.
Thanks team for helping me understand the issue.

-- 

Thanks
Prasanna

On 17/12/20, 1:13 AM, "tale" <d.lawrence at salesforce.com> wrote:

    On Wed, Dec 16, 2020 at 3:48 AM Prasanna Mathivanan (pmathiva) via
    bind-users <bind-users at lists.isc.org> wrote:
    > Whenever we have broken delegation as domain owners didn't follow proper RFC, the default behaviour of the query hits   " _.<label-sequence>"  which doesn’t exist.? And we get NXDOMAIN or SERVFAIL response.

    Going back to your original example, a.b.c.example.com, qname
    minimisation first identifies that there is a delegation at .com for
    example.com, and then asks the example.com namesevers for
    _.c.example.com.   Typically this _.c.example.com query would come
    back with either an NXDOMAIN answer, which means that the queried
    nameserver believes it is authoritative for all names within
    c.example.com, or it comes back with a NOERROR answer that lists a
    delegation in the authority section.

    In the first case (NXDOMAIN), the resolver knows it can ask the same
    servers about _.b.c.example.com and the cycle repeats.  In the latter
    case, the resolver is able to distinguish between whether there was a
    delegation for c.example.com (and ask the new nameservers about
    _.b.c.example.com) or a delegation that's actually at _.c.example.com
    (highly unusual, in which case, ask the original example.com
    nameservers about _.b.c.example.com).

    Getting a SERVFAIL throws a wrench in all this.  It's the
    authoritative server basically saying, "I'm badly broken and can't
    tell you how."  Generally this means the resolver should ask the next
    server in the authoritative list.  If they're all giving SERVFAIL then
    the resolver can either try to work around the brokenness (for
    example, by querying the full name at its closest enclosing
    delegation) or just give up on the SERVFAIL.

    -- 
    tale

    PS: While thinking about this I realized a weird case, which is if
    only a subset of the parent nameservers are authoritative for a
    subdomain.  That is, imagine example.com is served by the four servers
    ns{1,2,34}.example.com, but c.example.com is delegated only to
    ns{1,2}.example.com.  If you ask ns1 or ns2 about _.c.example.com,
    they'll give an authoritative answer and the fact that a delegation
    exists wouldn't be identified (absent DNSSEC), but asking ns3 or ns4
    would give the delegation to ns1 and ns2.  I can't think of how this
    might be a real problem for future queries though, outside of the
    usual type of brokenness that can happen even with full name queries
    (eg, a parent has a subdomain configured that it isn't actually
    delegated to it).



More information about the bind-users mailing list