[Pdns-users] out-of-bailiwick CNAME records

[Richard Poole]

I've been trying out PowerDNS 3.0 and I've found a change in the handling
of CNAME records which seems to break some recursors, including the
PowerDNS recursor.

In 2.9.22.x3, the last release before 3.0, the behaviour when asked for
a name which has an associated CNAME record pointing to a zone for which
this nameserver is not authoritative is as follows: if the RD flag is set
in the query, it gives SERVFAIL, does not set the AA flag, and returns
only the single CNAME record in the ANSWER section with no AUTHORITY or
ADDITIONAL records. If the RD flag is *not* set, it gives NOERROR, sets
the AA flag, and returns the root server information in the AUTHORITY and
ADDITIONAL sections along with the CNAME record in the ANSWER section. The
pdns recursor does not set the RD flag so it sees the latter response,
and makes its own queries to resolve the right-hand side of the CNAME
record. It then returns the desired response to the original query which
it was trying to resolve.

In 3.0rc2, the behaviour does not depend on the RD flag: it gives
SERVFAIL, sets the AA flag, and returns only the single CNAME record. The
latest svn snapshot modifies this behaviour to not set the AA flag but
is otherwise the same. The pdns recursor, on seeing either of these
responses, returns SERVFAIL and no ANSWER records to the original query.

I'm using recursor verion 3.2 but the changelogs don't seem to indicate
a change between then and now.

The resulting effect is that when asking an authoritative pdns server
through a pdns recursor, the usual case inside our network, these CNAME
records don't work at all. I'm not sure which part of pdns is misbehaving
here, either according to RFCs or to common practice, but I think one
of them must be. I *think* it is the authoritative server that is in
the wrong, because we had customers who are presumably behind different
recursors reporting problems. I've now gone back to 2.9.22.x3 for live
but I'd like to get to 3.0 because we want to offer DNSSEC to customers
if we can. Any thoughts, anyone?

-- 
Richard Poole
System Administrator
Heart Internet Ltd
richard.poole at heartinternet.co.uk
http://www.heartinternet.co.uk/
Tel: 0845 644 7750
Fax: 0845 644 7740

******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you are not the intended recipient you are
not authorised to and must not disclose, copy, distribute, or
retain this message or any part of it.

Heart Internet Ltd accepts no responsibility for information,
errors or omissions in this email.
******************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110706/69d44924/attachment.sig>