On Tue 19 Aug 2014 08:26:05 PM CEST, Evan Hunt via RT wrote:
>> It seems like BIND will cache something wrong when doing the first query
>> with CD flag set, that makes it to answer inconsistently later on.
>>
>> This behavior is causing validation to fail when such BIND is used as a
>> forwarder.
>>
>> I'm going to debug BIND to see what's happening. I know it will be like
>> looking for needle in a haystack, that's why I'm reporting it to you
>> before I have any more clues.
>>
>> I would appreciate any hints where to look for the cause.
>
> jsonformat.com is violating protocol.  Querying for NS or SOA gets NS
> or SOA, but all other data types get CNAME.  You're not supposed to have
> CNAME at the zone apex, or have it coexist with other data types at the
> same node.  The nonvalidating query for A put the CNAME record into the
> cache, and the nonvalidating query for DS found it -- the cache doesn't
> know there's a zone cut there, so it doesn't know the CNAME shouldn't be
> used to answer the DS query.

I see now. You are right that the domain is misconfigured and violates 
RFC1034 (section 3.6.2) and RFC1912 (section 2.4).

> I don't think there's anything we can do about this without violating
> protocol ourselves. jsonformat.com needs to get rid of that CNAME at
> the apex.

I agree.

Thank you very much for your explanation.


Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com