[Pdns-users] Delegation / recursion bug ?

Derrik Pates demon at devrandom.net
Fri Jul 21 23:04:46 UTC 2006

Martijn Grendelman wrote:
> So, when I ask for 'foo.startpagina.nl', I should be directed to the
> mentioned nameservers.
> Now, a query without 'RD' set, is answered nicely:

> However, a query _with_ recursion desired is served 'SERVFAIL', even
> when recursion is allowed.
> In the log, I find:
> Ignoring wildcard CNAME 'dochters.gl.startpagina.nl' pointing at itself
> which is not correct. It would be, if those NS records weren't present,
> but in this case, the wildcard CNAME is pointing to a host that is
> served by a different nameserver.
> So, my conclusion would be that delegation in combination with recursion
> doesn't work the way it should. Am I right?

Is your authoritative nameserver also set to recurse? (This is not
recommended generally, especially due to more recent issues of cache
pollution.) If not, then you are not correct; your nameserver is not
responsible for chasing out of zone CNAMEs. That's the task of the
recursor. The recursor's queries won't have the RD bit set anyway;
they'll get the CNAME redirection, which they'll then have to chase
down. The NS records are irrelevant; no recursion means *no recursion*.

I know there was a recent thread on this, and it was also stated there
that this is RFC documented proper behavior for an authoritative only
nameserver, just like if you queried your authoritative-only nameserver
for 'www.google.com'. SERVFAIL it its way of saying "this is in a zone I
don't know".

The "ignoring wildcard CNAME" message just happens because (a) (I'm
guessing) it can't recurse, and (b) it's scouring the records it has to
no avail, falling back on the CNAME. It's therefore acting as a failsafe
to avoid getting caught in a loop, just as it should.

Derrik Pates
demon at devrandom.net

More information about the Pdns-users mailing list