[Pdns-users] Rcode 3 NXDOMAIN for existing CNAME
Peter Thomassen
peter at desec.io
Tue Mar 21 15:57:42 UTC 2023
On 3/13/23 11:41, Chris Hofstaedtler | Deduktiva via Pdns-users wrote:
> * Christoph <cm at appliedprivacy.net> [230312 19:52]:
>>> When there is an xNAME chain, the RCODE field is set as follows:
>>>
>>> When an xNAME chain is followed, all but the last query cycle
>>> necessarily had no error. The RCODE in the ultimate DNS response
>>> MUST BE set based on the final query cycle leading to that
>>> response. If the xNAME chain was terminated by an error, it will
>>> be that error code.
>>
>> Is it possible to construct a query that asks the server
>> to not follow the chain?
>
> From what I can tell, there is no way of not getting NXDOMAIN here.
Well, if you ask for the xNAME (e.g. CNAME) record, then you'll get that (with a NOERROR code). So by issuing an xNAME query in addition to the record type you're interested in, you can learn whether the NXDOMAIN is due to the queried name not existing, or due to the CNAME chain target not existing.
However, I doubt this is a reasonable approach for your ACME client.
Cheers,
Peter
--
https://desec.io/
More information about the Pdns-users
mailing list