[bind10-dev] rrset trust level (Question about section 5.4.1 of rfc2181)

Mark Andrews marka at isc.org
Wed Feb 16 23:04:44 UTC 2011 

In message <002e01cbcdce$f670dd60$e3529820$@com>, "Likun Zhang" writes:
> Hi all, 
> 
> I am still not very sure about my understanding for the following paragraph, 
> which is in section 5.4.1 Ranking data of rfc2181), could you give some help?
> 
>    "Note that the answer section of an authoritative answer normally
>    contains only authoritative data.  However when the name sought is an
>    alias (see section 10.1.1) only the record describing that alias is
>    necessarily authoritative.  Clients should assume that other records
>    may have come from the server's cache.  Where authoritative answers
>    are required, the client should query again, using the canonical name
>    associated with the alias."
> 
> Make some messages as example
> 
> 1. CNAME
> 
> Message example :
> 
> ;HEADER
>  AA QR
> ;QUESTION
>   Example.com.  IN  NS
> ;ANSWER
>   Example.com.  CNAME  example.org.
>   Example.org.   CNAME  a.example.cn.
>   a.example.cn.   NS     ns.example.cn.  
> 
> My understanding is:
>   Only record "example.com. CNAME example.org." (the first record)  is treate
> d as authoritative, the left two records in answer section are not authoritat
> ive, am I right here?

yes.
 
> 2. DNAME
> 
> Similar with CNAME, we have to deal with the situation when there are one or 
> more DNAME records in answer section(I didn't find it in some rfc, including 
> dname bits, but I think it should work like cname). Message example:
> 
> ;HEADER
>  AA QR
> ;QUESTION
>   a.example.com.  IN  A
> ;ANSWER
>   Example.com.    DNAME  example.org.
>   a.example.com.  CNAME   a.example.org.
>   Example.org.     DNAME  example.cn.
>   a.example.org.   CNAME  a.example.cn.
>   a.example.cn.    A      1.1.1.1
> 
> My understanding is:
>  Only the first record in answer section is authoritative, all the left recor
> ds are not authoritative, am I right here?

The DNAME is authoritative and the CNAME has the same trust as the
DNAME being synthesised from it.

> 3. Last question (sorry for the long email, :) )
> If there are some CNAME(DNAME) records in message's answer section, The first
>  record must be CNAME(DNAME) record. Am I right here? or else, I think the me
> ssage user don't know how to parse it. Is there some rfc talking about it?

Yes, they should be in processing order but you shouldn't depend on it.

> Thanks
> Likun
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind10-dev mailing list