[Unbound-users] Puzzling behavior with DNAME

[Sebastian Castro]

Stephane Bortzmeyer wrote:
> I'm playing with māori domain names
> <http://www.te-reo.maori.dns.net.nz/> and Unbound's behavior surprises
> me.
> 

I'd like to add the behavior from Unbound is strange (yes, I already
read Wouter response).

The authoritative nameservers for maori.dns.net.nz and
xn--mori-qsa.dns.net.nz are the same and run BIND9.

Saying that, if you ask any of them for the query Stephane sent, you get
an NXDOMAIN response:

secastro at klendathu:~$ dig ANY tagadatsointsoin.xn--mori-qsa.dns.net.nz
@ns1.dns.net.nz +norec

; <<>> DiG 9.6.1-P2 <<>> ANY tagadatsointsoin.xn--mori-qsa.dns.net.nz
@ns1.dns.net.nz +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8271
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;tagadatsointsoin.xn--mori-qsa.dns.net.nz. IN ANY

;; ANSWER SECTION:
xn--mori-qsa.dns.net.nz. 86400	IN	DNAME	maori.dns.net.nz.
tagadatsointsoin.xn--mori-qsa.dns.net.nz. 0 IN CNAME
tagadatsointsoin.maori.dns.net.nz.

;; AUTHORITY SECTION:
maori.dns.net.nz.	3600	IN	SOA	loopback.dns.net.nz. soa.nzrs.net.nz.
2010051262 3600 1200 604800 3600

;; Query time: 16 msec
;; SERVER: 202.46.190.130#53(202.46.190.130)
;; WHEN: Wed May 26 12:10:37 2010
;; MSG SIZE  rcvd: 173


Because the nameserver queried in authoritative for both zones,
according to RFC2672, Section 4.1, 3.c: "If at some label, a match is
impossible (i.e., the corresponding label does not exist), look to see
whether the last label matched has a DNAME record.", then the
substitution is performed and the resulting name is searched again,
leading to a NXDOMAIN.

So I'm not completely clear which steps is Unbound taking to handle that
query which led to a NOERROR response, but sounds interesting to know.


Cheers!
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535