SOA MNAME '.' due to DNS UPDATEs

[massar]

I get the warning: "SOA 'mname' field does not exist" for fcom.ch (and all other zones on that DNS server as they all are configured that way).

The SOA MNAME is configured as ".", this as the MNAME is used by customers's machines to lookup the host they can send DNS UPDATEs (https://tools.ietf.org/html/rfc2136)

Of course, we do not allow DNS UPDATE to our authoritive, static server. There are thus a lot of DNS UPDATE queries being sent to any host configured in the MNAME (fcom.ch is used for reverse DNS for 400k++ cable hosts), which otherwise causes a lot of useless traffic.

Setting the MNAME to '.' (or empty when dot-stripping as likely happens in the test), indicates to DNS UPDATE tools that there is no DNS server to send DNS UPDATEs too, as there is no host specified that could receive them.

As such, having a SOA MNAME configured to just '.' is quite valid and actually recommended for most locations as most locations do not support DNS UPDATEs.

Greets,
Jeroen

[matsduf]

Thank you for the comment. The message is not very clear. It should rather be that there is no A or AAAA record defined for that name. The dot should not be stripped as it probably is as you suggest.

I see your issue, but the DNS standard says that it should be the "primary master server" of that zone. Or do you know of any RFC that updates that? Any RFC that recommends or permits to use "." as MNAME?

[massar]

The message is not very clear.

What part exactly? Can you rephrase?

It should rather be that there is no A or AAAA record defined for that name

One cannot assign A/AAAA or anything to '.'. Also it makes it clear that the server does not exist and that it can be given up on. (A random label in the domain would still indicate a valid host and that attempts to should be made to send DNS Updates).

DNS standard says that it should be the "primary master server"

The DNS Update RFC2136 messes up the concept of 'primary master server'.

Afaik there are no RFCs that recommend using it this way, but it is the same mechanism used by RFC7505 (https://tools.ietf.org/html/rfc7505)

Both Windows and ISC DHCP client support NULL MNAME and handle it by not sending any updates to the MNAME (as there is none) and do not keep on attempt to repeat sending it.

The solution I am simply suggesting is to update the test and treat a NULL MNAME (MNAME = '.') as "no primary available" and succeed the test.

[matsduf]

The message is not very clear.

What part exactly? Can you rephrase?

The message "SOA 'mname' field does not exist" is not very clear since the MNAME field does exist, but is has a null lenght domain name.

One cannot assign A/AAAA or anything to '.'.

In the root zone one could define A or AAAA for ".", technically, but it is usually not useful.

Afaik there are no RFCs that recommend using it this way, but it is the same mechanism used by RFC7505 (https://tools.ietf.org/html/rfc7505)

Such a reference would be useful.

Both Windows and ISC DHCP client support NULL MNAME and handle it by not sending any updates to the MNAME (as there is none) and do not keep on attempt to repeat sending it.

The solution I am simply suggesting is to update the test and treat a NULL MNAME (MNAME = '.') as "no primary available" and succeed the test.

I understand your request. Do you have references to Windows or ISC DHCPD having treating a null string MNAME in that way? I think your suggestion makes sense, but I would like to have so reference motivating it.

[massar]

Bit late reply, too much going on in the world at the moment.

Also took a bit to dig out where it happens in nsupdate (and even harder to find in dhclient)
Good that I recall that the mname is called origin in ISC speak.

Technically, one can define any label that has no addresses (A/AAAA) as the primary.
A NULL SOA MNAME (".") just signals this clearly as it cannot have any addresses (unless some root operator messes us up. A label like "noprimary." or "noprimary.example.net" could technically also work; but as there are no addresses this test will then also fail; and as there is then a host, that is indeed suspicious, knowing all variants of that is impossible, hence "NULL SOA MNAME" being a good variant. Similar to a NULL MX.

The code that "aborts" is:
https://github.com/isc-projects/bind9/blob/master/bin/nsupdate/nsupdate.c#L2764

the important lines, others skipped (...) :

static void
recvsoa(isc_task_t *task, isc_event_t *event) {
...
	dns_name_init(&master, NULL);
	dns_name_clone(&soa.origin, &master);
...
		dns_name_format(&master, namestr, sizeof(namestr));
		fprintf(stderr, "The master is: %s\n", namestr);
...
	if (default_servers) {
...
		master_total = get_addresses(serverstr, dnsport, master_servers,
					     master_alloc);
		if (master_total == 0) {
			exit(1);
		}
...

Thus nsupdate, when using "default servers" (which comes from the SOA MNAME / "origin" / "primary") will find a mname, populate it in "master" and try to lookup addresses.

As "." does not have any addresses associated, the "master_total" of addresses is 0, and exit(1) is called: an explicit abort without even mentioning that it failed..... yeah.
(even more confusing if there actually is a primary :))

Additionally, I'll prepare an IETF draft to document this behavior; then we can reference that at least and lets see if I can push it through dnsop or just as an ID as it will be informational anyway.

[matsduf]

@massar, thank you. A draft would good, but hopefully it could all the way through and become an RFC. Dead drafts make no one happy. Please create a note here when there is a draft.

Just for my notes: Update of ZONE01 and SYNTAX07 (here linked to the develop branch).

This is also related to issue #754.