CNAME Issue - Whether to use CNAME-data or Response-Flag

Fri Apr 9 15:13:42 UTC 2010

I am currently in the middle of trying to troubleshoot a DNS issue that
seems to produce different results when using BIND and Microsoft DNS Servers
    (This is also an open support-incident with both my ISP and Microsoft
Support)

What I am hoping is that somebody might be able to help point me in the
direction of an RFC or specification document that might explain the
"PROPER" response.

I am not interested in any additional "workarounds", since I am already
aware of a number of possible alternatives

---

I am trying to be objective in my analysis.

"Microsoft DNS" and "BIND" are both just "different implementations of the
agreed "Internet Standard for DNS" (which is presumably based on one or more
RFC documents)

I do not want to state "This is Correct" or "This is Wrong" until I have had
chance to find the "official standard" that explains the "CORRECT" response.

What I am hoping to achieve is to find "precise wording within the RFCs" to
narrow down whether this is "open to interpretation", or is a more serious
"not fully implementing the 'open standard"

----

Many thanks to anyone who can help or provide any additional insight (such
as any "additional forums" that I could approach with this question)

--------------------- 

The issue concerns:
*  DNS Server (Microsoft or Bind or otherwise) (running with an empty cache)
and operating using the standard root-hints.
*  Note: If forwarders ARE present, this just confuses the issue, because
the "primary DNS lookup" is then actually performed by an upstream resolver.

The main DNS record in question is:
* mail.wilmot.me.uk

--

The records for the domain "wilmot.me.uk" are currently hosted on the
following authoritative nameservers (servers owned by my ISP):
*  primary-dns.co.uk       internet address = 81.187.30.41
*  secondary-dns.co.uk     internet address = 81.187.81.32

---

Whichever DNS server (platform + os + version) is used, it seems to come
down to the following sequence of events:

The "local DNS Server" performs a query for "Type=A, data =
mail.wilmot.me.uk"

It receives the following response from the ISP.

Response Flags: 0x8403
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not

authenticated by the server
.... .... .... 0011 = Reply code: No such name (3)

Answer:
  Type: CNAME (Canonical name for an alias)
  Primary name: wilmot.me.uk.mail.aaisp.net.uk

I haave spoken to my ISP about this who has confirmed that they are running
BIND on their authoratitive server, and as far as they are aware, thiis
believe that is a valid reply.

Much appreciated if anyone else can also confirm if this is a VALID
response.

---

The PROBLEM:

1 - BIND (and it would seem also "Win2008 Server R2") DNS servers would
appear to look first at the "ANSWER" part of the response above.

They then "correctly (in my opinion)" continue to look up the A record(s)
for "wilmot.me.uk.mail.aaisp.net.uk" and then return a result

2 - Win2003, Win2003 R2, Win2008 (all tested on x86 and x64) would appear to
look first at the "RESPONSE FLAG" part of the response above.

They then "in correctly (in my opinion)" DO NOT perform any further action,
and instead return the "Reply code: No such name" part of the response as a
"Non-existent domain" response

I have checked the results on a number of virtual machines

---

I am aware that there are many possible workarounds that I could try, but I
want to try and focus on the "solution" rather than just a "temporary
workaround"

-----------------

Regards,

Steven Wilmot
Director
Data Utilities Ltd