Weird DNS behaviour resolution issues when more labels are present in a zone

Wed Dec 16 19:42:59 UTC 2020

On Wed, Dec 16, 2020 at 3:48 AM Prasanna Mathivanan (pmathiva) via
bind-users <bind-users at lists.isc.org> wrote:
> Whenever we have broken delegation as domain owners didn't follow proper RFC, the default behaviour of the query hits   " _.<label-sequence>"  which doesn’t exist.? And we get NXDOMAIN or SERVFAIL response.

Going back to your original example, a.b.c.example.com, qname
minimisation first identifies that there is a delegation at .com for
example.com, and then asks the example.com namesevers for
_.c.example.com.   Typically this _.c.example.com query would come
back with either an NXDOMAIN answer, which means that the queried
nameserver believes it is authoritative for all names within
c.example.com, or it comes back with a NOERROR answer that lists a
delegation in the authority section.

In the first case (NXDOMAIN), the resolver knows it can ask the same
servers about _.b.c.example.com and the cycle repeats.  In the latter
case, the resolver is able to distinguish between whether there was a
delegation for c.example.com (and ask the new nameservers about
_.b.c.example.com) or a delegation that's actually at _.c.example.com
(highly unusual, in which case, ask the original example.com
nameservers about _.b.c.example.com).

Getting a SERVFAIL throws a wrench in all this.  It's the
authoritative server basically saying, "I'm badly broken and can't
tell you how."  Generally this means the resolver should ask the next
server in the authoritative list.  If they're all giving SERVFAIL then
the resolver can either try to work around the brokenness (for
example, by querying the full name at its closest enclosing
delegation) or just give up on the SERVFAIL.

-- 
tale

PS: While thinking about this I realized a weird case, which is if
only a subset of the parent nameservers are authoritative for a
subdomain.  That is, imagine example.com is served by the four servers
ns{1,2,34}.example.com, but c.example.com is delegated only to
ns{1,2}.example.com.  If you ask ns1 or ns2 about _.c.example.com,
they'll give an authoritative answer and the fact that a delegation
exists wouldn't be identified (absent DNSSEC), but asking ns3 or ns4
would give the delegation to ns1 and ns2.  I can't think of how this
might be a real problem for future queries though, outside of the
usual type of brokenness that can happen even with full name queries
(eg, a parent has a subdomain configured that it isn't actually
delegated to it).