By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is there a reason why Route53 doesn’t comply with RFC 8020?

1

Hello,

Route53 doesn’t comply with RFC 8020 in that it returns NXDOMAIN for empty non-terminal domains. This causes issues with caching resolvers which implement RFC 8020 (NXDOMAIN cut), because they return NXDOMAIN for sub-domains of an empty non-terminal once it has cached the NXDOMAIN returned by Route53 for this empty non-terminal.

Is there a reason why Route53 doesn’t comply with RFC 8020, or is it a bug which should be fixed?

Regards

  • Gary Mclean EXPERT
    4 months ago

    dont quite follow.. could you share example at all?

  • Yann
    4 months ago

    Sure!

    openshift-ch-1.camptocamp.com is a DNS zone managed by Route53:

    ❯ dig -t ns openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> -t ns openshift-ch-1.camptocamp.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29515 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;openshift-ch-1.camptocamp.com. IN NS

    ;; ANSWER SECTION: openshift-ch-1.camptocamp.com. 172800 IN NS ns-1156.awsdns-16.org. openshift-ch-1.camptocamp.com. 172800 IN NS ns-1597.awsdns-07.co.uk. openshift-ch-1.camptocamp.com. 172800 IN NS ns-340.awsdns-42.com. openshift-ch-1.camptocamp.com. 172800 IN NS ns-656.awsdns-18.net.

    ;; Query time: 14 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Mon Jan 29 10:25:22 CET 2024 ;; MSG SIZE rcvd: 195

  • Yann
    4 months ago

    apps.openshift-ch-1.camptocamp.com is an empty non-terminal:

    ❯ dig @ns-1156.awsdns-16.org. apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns-1156.awsdns-16.org. apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57427 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;apps.openshift-ch-1.camptocamp.com. IN A

    ;; AUTHORITY SECTION: openshift-ch-1.camptocamp.com. 900 IN SOA ns-656.awsdns-18.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

    ;; Query time: 16 msec ;; SERVER: 205.251.196.132#53(ns-1156.awsdns-16.org.) (UDP) ;; WHEN: Mon Jan 29 10:26:49 CET 2024 ;; MSG SIZE rcvd: 144

  • Yann
    4 months ago

    There’s a wildcard *.apps.openshift-ch-1.camptocamp.com:

    ❯ dig @ns-1156.awsdns-16.org. test.apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns-1156.awsdns-16.org. test.apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23259 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.apps.openshift-ch-1.camptocamp.com. IN A

    ;; ANSWER SECTION: test.apps.openshift-ch-1.camptocamp.com. 15 IN A 159.100.247.234

    ;; AUTHORITY SECTION: openshift-ch-1.camptocamp.com. 172800 IN NS ns-1156.awsdns-16.org. openshift-ch-1.camptocamp.com. 172800 IN NS ns-1597.awsdns-07.co.uk. openshift-ch-1.camptocamp.com. 172800 IN NS ns-340.awsdns-42.com. openshift-ch-1.camptocamp.com. 172800 IN NS ns-656.awsdns-18.net.

    ;; Query time: 17 msec ;; SERVER: 205.251.196.132#53(ns-1156.awsdns-16.org.) (UDP) ;; WHEN: Mon Jan 29 10:29:25 CET 2024 ;; MSG SIZE rcvd: 221

  • Yann
    4 months ago

    Now, let’s query a resolver adhering to RFC 8020:

    ❯ dig @ns0.dom.scw.cloud apps.openshift-ch-1.camptocamp.com

    ; <<>> DiG 9.18.20 <<>> @ns0.dom.scw.cloud apps.openshift-ch-1.camptocamp.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23370 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;apps.openshift-ch-1.camptocamp.com. IN A

    ;; AUTHORITY SECTION: . 3600 IN SOA ns0.online.net. hostmaster. 2021052601 10800 3600 604800 3600

    ;; Query time: 32 msec ;; SERVER: 195.154.228.249#53(ns0.dom.scw.cloud) (UDP) ;; WHEN: Mon Jan 29 10:30:31 CET 2024 ;; MSG SIZE rcvd: 122

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
Yann
asked 4 months ago143 views
2 Answers
0

There might be good reasons why this isn't implemented but I'm not in a position to say (I don't really know). However, the vast majority of features in AWS services are there because customers requested them - so I'd encourage you to reach out to your local AWS Solutions Architect. They have channels for taking feedback to the service teams; and they may be able to find a more specific answer for you.

profile pictureAWS
EXPERT
Brettski-AWS
answered 4 months ago
0

Hello,

Here is the answer from AWS support:

For historical reasons, Route 53 returns “NXDOMAIN” instead of “NOERROR” for empty non-terminal (ENT) domain names. Correcting this behavior is on our roadmap, but we currently don't have an ETA as AWS does not publicize the roadmap items; however, as soon as it gets released, it should be publicly announced in either one of our webpage:

https://aws.amazon.com/blogs/aws/
http://aws.amazon.com/new

Yann
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content