Veaceslav Revutchi <slavarevut...@gmail.com> wrote: > I see the server forwarding the query and it gets the answer below: > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > ;; > ;; ANSWER SECTION: > aaa.example.org. 200 IN CNAME bbb.example.net. > bbb.example.net. 60 IN A 10.64.64.64 > > I would expect the server to return "10.64.64.64" to the client. > Instead it recurses over "bbb.example.net" which comes back with a > different "A" record from an external server and returns that IP to > the client unless I add a forward for "example.net" also. Is this how > it's supposed to work?
Interesting edge case. I think this is to do with RFC 2181 section 5.4.1 trustworthiness ranking of DNS data. (I seem to be referring to this spec a lot recently!) In particular, Note that the answer section of an authoritative answer normally contains only authoritative data. However when the name sought is an alias (see section 10.1.1) only the record describing that alias is necessarily authoritative. Clients should assume that other records may have come from the server's cache. Where authoritative answers are required, the client should query again, using the canonical name associated with the alias. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fastnet: Southeast 4 or 5, occasionally 6 at first. Moderate, occasionally rough at first in southwest. Occasional rain. Good, occasionally moderate. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users