Non-standard behavior when encountering single record alias loops
It appears BIND has non-standard (both RFC and ecosystem) behavior when encountering single record CNAME alias loop. When a loop in encountered BIND properly terminates the recursion logic but returns a non-error RCODE and the CNAME it encountered.
When I first saw this I thought the issue was with normal loops (i.e. loop-a.com -> loop-b.com -> loop-a.com) but BIND behaves correctly when encountering this (throwing a SERVFAIL), the issue is with a slightly more strange single record loop (loop-a.com -> loop-a.com). My initial assumption was there was some specific reason for doing this but I was unable to find one (albeit my search was rather brief so I may have missed something) and as far as I can tell none of the other major resolvers display this behavior.
Using the following zone here are my testing results from BIND, Unbound, PowerDNS, and Google's public resolver.
Zone:
loop.testing.bracewel.net. IN CNAME loop.testing.bracewel.net.Results:
BIND 9.12.1:
$ dig a loop.testing.bracewel.net @localhost -p 8053
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; ANSWER SECTION:
loop.testing.bracewel.net. 0 IN CNAME loop.testing.bracewel.net.
;; Query time: 1492 msec
;; SERVER: 127.0.0.1#8053(127.0.0.1)
;; WHEN: Tue Mar 20 15:10:15 GMT 2018
;; MSG SIZE rcvd: 68Unbound 1.6.5:
$ dig a loop.testing.bracewel.net @localhost -p 8153
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57714
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1252
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; Query time: 477 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1)
;; WHEN: Tue Mar 20 15:35:54 GMT 2018
;; MSG SIZE rcvd: 54PowerDNS 4.1.1:
$ dig a loop.testing.bracewel.net @localhost -p 8253
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; ANSWER SECTION:
loop.testing.bracewel.net. 0 IN CNAME loop.testing.bracewel.net.
;; Query time: 168 msec
;; SERVER: 127.0.0.1#8253(127.0.0.1)
;; WHEN: Tue Mar 20 15:47:23 GMT 2018
;; MSG SIZE rcvd: 68Google:
$ dig a loop.testing.bracewel.net @8.8.8.8
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 20 15:11:36 GMT 2018
;; MSG SIZE rcvd: 54