Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is there a reason why Route53 doesn’t comply with RFC 8020?

1

Hello,

Route53 doesn’t comply with RFC 8020 in that it returns NXDOMAIN for empty non-terminal domains. This causes issues with caching resolvers which implement RFC 8020 (NXDOMAIN cut), because they return NXDOMAIN for sub-domains of an empty non-terminal once it has cached the NXDOMAIN returned by Route53 for this empty non-terminal.

Is there a reason why Route53 doesn’t comply with RFC 8020, or is it a bug which should be fixed?

Regards

  • Gary Mclean EXPERTE
    vor 4 Monaten

    dont quite follow.. could you share example at all?

  • Yann
    vor 4 Monaten

    Sure!

    openshift-ch-1.camptocamp.com is a DNS zone managed by Route53:

    ❯ dig -t ns openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> -t ns openshift-ch-1.camptocamp.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29515 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;openshift-ch-1.camptocamp.com. IN NS

    ;; ANSWER SECTION: openshift-ch-1.camptocamp.com. 172800 IN NS ns-1156.awsdns-16.org. openshift-ch-1.camptocamp.com. 172800 IN NS ns-1597.awsdns-07.co.uk. openshift-ch-1.camptocamp.com. 172800 IN NS ns-340.awsdns-42.com. openshift-ch-1.camptocamp.com. 172800 IN NS ns-656.awsdns-18.net.

    ;; Query time: 14 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Mon Jan 29 10:25:22 CET 2024 ;; MSG SIZE rcvd: 195

  • Yann
    vor 4 Monaten

    apps.openshift-ch-1.camptocamp.com is an empty non-terminal:

    ❯ dig @ns-1156.awsdns-16.org. apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns-1156.awsdns-16.org. apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57427 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;apps.openshift-ch-1.camptocamp.com. IN A

    ;; AUTHORITY SECTION: openshift-ch-1.camptocamp.com. 900 IN SOA ns-656.awsdns-18.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

    ;; Query time: 16 msec ;; SERVER: 205.251.196.132#53(ns-1156.awsdns-16.org.) (UDP) ;; WHEN: Mon Jan 29 10:26:49 CET 2024 ;; MSG SIZE rcvd: 144

  • Yann
    vor 4 Monaten

    There’s a wildcard *.apps.openshift-ch-1.camptocamp.com:

    ❯ dig @ns-1156.awsdns-16.org. test.apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns-1156.awsdns-16.org. test.apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23259 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.apps.openshift-ch-1.camptocamp.com. IN A

    ;; ANSWER SECTION: test.apps.openshift-ch-1.camptocamp.com. 15 IN A 159.100.247.234

    ;; AUTHORITY SECTION: openshift-ch-1.camptocamp.com. 172800 IN NS ns-1156.awsdns-16.org. openshift-ch-1.camptocamp.com. 172800 IN NS ns-1597.awsdns-07.co.uk. openshift-ch-1.camptocamp.com. 172800 IN NS ns-340.awsdns-42.com. openshift-ch-1.camptocamp.com. 172800 IN NS ns-656.awsdns-18.net.

    ;; Query time: 17 msec ;; SERVER: 205.251.196.132#53(ns-1156.awsdns-16.org.) (UDP) ;; WHEN: Mon Jan 29 10:29:25 CET 2024 ;; MSG SIZE rcvd: 221

  • Yann
    vor 4 Monaten

    Now, let’s query a resolver adhering to RFC 8020:

    ❯ dig @ns0.dom.scw.cloud apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns0.dom.scw.cloud apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23370 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;apps.openshift-ch-1.camptocamp.com. IN A

    ;; AUTHORITY SECTION: . 3600 IN SOA ns0.online.net. hostmaster. 2021052601 10800 3600 604800 3600

    ;; Query time: 32 msec ;; SERVER: 195.154.228.249#53(ns0.dom.scw.cloud) (UDP) ;; WHEN: Mon Jan 29 10:30:31 CET 2024 ;; MSG SIZE rcvd: 122

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Amazon Route 53
Sprache
English
Yann
gefragt vor 4 Monaten152 Aufrufe
2 Antworten
0

There might be good reasons why this isn't implemented but I'm not in a position to say (I don't really know). However, the vast majority of features in AWS services are there because customers requested them - so I'd encourage you to reach out to your local AWS Solutions Architect. They have channels for taking feedback to the service teams; and they may be able to find a more specific answer for you.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 4 Monaten
0

Hello,

Here is the answer from AWS support:

For historical reasons, Route 53 returns “NXDOMAIN” instead of “NOERROR” for empty non-terminal (ENT) domain names. Correcting this behavior is on our roadmap, but we currently don't have an ETA as AWS does not publicize the roadmap items; however, as soon as it gets released, it should be publicly announced in either one of our webpage:

https://aws.amazon.com/blogs/aws/
http://aws.amazon.com/new

Yann
beantwortet vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt