Greg Chavez wrote:
> On 22 Jun 2006 20:35:37 +0100, Chris Thompson wrote:
>
>> I am afraid that both my claims were wrong:
>>
>> that the NS records in the zone were different from the ones
>> at the delegation point (I had picked the wrong set of NS
>> records from the authority section of a reply)
>>
>> that mail1.ccs.bbk.ac.uk was not authoritative for lkl.ac.uk
>> (its not authoritative for bbk.ac.uk which the CNAME points
>> into, but so what)
>>
>> That will teach me to post too fast (maybe). Apologies.
>>

>
> Whenever some name servers cache a RR for a zone positively while
> others cache negatively, the cause always seems to be a TTL issue or a
> lame/dysfunctional delegation. So, usually follow the same
> troubleshooting process as Mr. Thompson, looking for the bad name
> server. In fact, *appears* that the mail.ccs.bbk box is to blame.
>
> But its not to blame. It returns the CNAME for www.ilk.ac.uk.
> However, its authority section shows the root servers. How does that
> happen? Our Infoblox servers will omit the authority section if
> configured to return minimal responses, but give out the root servers?
> When I first saw the query response, it looked like an iterative
> brush-off. Is this broken? Broken but benign?
>
> ; <<>> DiG 9.2.4 <<>> www.lkl.ac.uk @mail1.ccs.bbk.ac.uk
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1848
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.lkl.ac.uk. IN A
>
> ;; ANSWER SECTION:
> www.lkl.ac.uk. 10800 IN CNAME thor.dcs.bbk.ac.uk.
>
> ;; AUTHORITY SECTION:
> . 3600000 IN NS J.ROOT-SERVERS.NET.
> . 3600000 IN NS K.ROOT-SERVERS.NET.
> . 3600000 IN NS L.ROOT-SERVERS.NET.
> . 3600000 IN NS M.ROOT-SERVERS.NET.
> . 3600000 IN NS A.ROOT-SERVERS.NET.
> . 3600000 IN NS B.ROOT-SERVERS.NET.
> . 3600000 IN NS C.ROOT-SERVERS.NET.
> . 3600000 IN NS D.ROOT-SERVERS.NET.
> . 3600000 IN NS E.ROOT-SERVERS.NET.
> . 3600000 IN NS F.ROOT-SERVERS.NET.
> . 3600000 IN NS G.ROOT-SERVERS.NET.
> . 3600000 IN NS H.ROOT-SERVERS.NET.
> . 3600000 IN NS I.ROOT-SERVERS.NET.
>
> ;; Query time: 137 msec
> ;; SERVER: 193.61.22.6#53(mail1.ccs.bbk.ac.uk)
> ;; WHEN: Fri Jun 23 08:41:53 2006
> ;; MSG SIZE rcvd: 269
>

I'm not sure why you'd consider that "broken" at all. Despite the fact
that its own name is in a fairly close branch of the namespace
hierarchy, mail1.ccs.bbk.ac.uk is not considered authoritative for
thor.dcs.bbk.ac.uk, nor for any domain between that name and the root,
so if it didn't happen to have anything cached for any of those domain
levels -- not surprising, since it seems to have recursion completely
turned off -- the Authority Section of its response should contain, if
anything, root-zone NSes.

Perhaps you're forgetting that when a CNAME -- or a CNAME chain -- is in
the Answer Section of a response, the Authority Section applies to the
target of the CNAME (or the target of the last CNAME in the chain)
rather than to the QNAME itself.


- Kevin