[Pdns-users] Delegation / recursion bug ?

Martijn Grendelman martijn at pocos.nl
Mon Jul 24 10:36:07 UTC 2006 

Hi Derrik,

Derrik Pates wrote:
> Martijn Grendelman wrote:
>> So, when I ask for 'foo.startpagina.nl', I should be directed to the
>> mentioned nameservers.
>>
>> Now, a query without 'RD' set, is answered nicely:
> 
>> However, a query _with_ recursion desired is served 'SERVFAIL', even
>> when recursion is allowed.
>>
>> In the log, I find:
>>
>> Ignoring wildcard CNAME 'dochters.gl.startpagina.nl' pointing at itself
>>
>> which is not correct. It would be, if those NS records weren't present,
>> but in this case, the wildcard CNAME is pointing to a host that is
>> served by a different nameserver.
>>
>> So, my conclusion would be that delegation in combination with recursion
>> doesn't work the way it should. Am I right?
> 
> Is your authoritative nameserver also set to recurse? (This is not
> recommended generally, especially due to more recent issues of cache
> pollution.) If not, then you are not correct; your nameserver is not
> responsible for chasing out of zone CNAMEs. That's the task of the
> recursor. The recursor's queries won't have the RD bit set anyway;
> they'll get the CNAME redirection, which they'll then have to chase
> down. The NS records are irrelevant; no recursion means *no recursion*.

Yes, I understand. The problem is that the error I quoted above occurs 
where recursion _is_ enabled.

> I know there was a recent thread on this, and it was also stated there
> that this is RFC documented proper behavior for an authoritative only
> nameserver, just like if you queried your authoritative-only nameserver
> for 'www.google.com'. SERVFAIL it its way of saying "this is in a zone I
> don't know".

Yes, that question was posted by me, too :-)

> The "ignoring wildcard CNAME" message just happens because (a) (I'm
> guessing) it can't recurse, and (b) it's scouring the records it has to
> no avail, falling back on the CNAME. It's therefore acting as a failsafe
> to avoid getting caught in a loop, just as it should.

Best regards,

Martijn Grendelman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20060724/10deea0b/attachment-0001.bin>

More information about the Pdns-users mailing list