Bug 751 - NSD fails to occlude names below a DNAME
NSD fails to occlude names below a DNAME
Product: NSD
Classification: Unclassified
Component: NSD Code
All All
: P5 minor
Assigned To: NSD team
Depends on:
  Show dependency treegraph
Reported: 2016-04-03 05:29 CEST by Anand Buddhdev
Modified: 2016-04-04 16:24 CEST (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Anand Buddhdev 2016-04-03 05:29:07 CEST
NSD loads a zone containing:

a.example.com.     DNAME  b.example.com.
www.a.example.com  A

When queried for www.a.example.com/A, NSD responds with the A record, when in fact, it should be responding with:

a.example.com.     172800  IN  DNAME  b.example.com.
www.a.example.com  172800  IN  CNAME  www.b.example.com.

In my opinion, NSD should either occlude (hide) all names below a DNAME, or refuse to load the zone (and also refuse an XFR that attempts to modify a zone in this way).
Comment 1 Wouter Wijngaards 2016-04-04 09:23:05 CEST
Hi Anand,

NSD is built to occlude data below DNAME records.  (and below NS delegation cuts).

I just tried it and for me it responds with:
a.example.com.		DNAME	b.example.com.
www.a.example.com.	CNAME	www.b.example.com.

So, something else is going on?  File on disk not in sync with data in memory?

Best regards, Wouter
Comment 2 Wouter Wijngaards 2016-04-04 10:20:33 CEST
Hi Anand,

You are correct and I can reproduce it.

NSD makes a difference between master and slave zones.  For master zones, it refuses to load occluded zones with an error.  For slave zones, it allows this, and then gives the answer you state.  And that is wrong.

Best regards, Wouter
Comment 3 Wouter Wijngaards 2016-04-04 16:24:34 CEST
Hi Anand,

Fixed in the code repository.  Thanks for the bug report!

Best regards, Wouter