Maintained by: NLnet Labs

[Unbound-users] Puzzling behavior with DNAME

W.C.A. Wijngaards
Wed May 26 10:03:18 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sebastian,

On 05/26/2010 02:20 AM, Sebastian Castro wrote:
> Stephane Bortzmeyer wrote:
>> I'm playing with māori domain names
>> <http://www.te-reo.maori.dns.net.nz/> and Unbound's behavior surprises
>> me.
> I'd like to add the behavior from Unbound is strange (yes, I already
> read Wouter response).
> 
> Because the nameserver queried in authoritative for both zones,
> according to RFC2672, Section 4.1, 3.c: "If at some label, a match is
> impossible (i.e., the corresponding label does not exist), look to see
> whether the last label matched has a DNAME record.", then the
> substitution is performed and the resulting name is searched again,
> leading to a NXDOMAIN.

Well when you search again you encounter the line 'if the QNAME is
original', which it is not.

> So I'm not completely clear which steps is Unbound taking to handle that
> query which led to a NOERROR response, but sounds interesting to know.

Well, over at namedroppers (the IETF DNSEXT working group mailing list)
you can see me get yelled at by the protocol experts :-)
[http://ops.ietf.org/lists/namedroppers/namedroppers.2010/msg01420.html ]

That mailing list is the right place to find what the right rcode is.
Of course unbound should send out the proper rcode and be able to accept
leniently what it receives from other servers.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv81cYACgkQkDLqNwOhpPiuDgCgm8xtSClRjrVCTYRxf0GNfs/6
5xoAoLLS7F+G+JdkK1do+4ywSVenHh9k
=hXyw
-----END PGP SIGNATURE-----