Selective 'stop' on CNAME-chasing for resolvers
This feature request is to help organisations who are using recursive servers to 'manage' boundary authoritative DNS services. The scenario specifically, is how to stop resolvers attempting to follow CNAME chains that point outside of the domain (and subdomains of that domain) that are being 'served' this way.
The scenario is one in which a complex organisation wishes to have all client queries for their authoritative domains (and subdomains) handled solely by a set of nameservers that are Internet-facing. These servers are authoritative for the top level domain(s) but delegate subdomains to other internal servers, who themselves may delegate yet again. It is not possible (for various reasons) for the Internet-facing servers to slave all of the delegated subdomains and sub-sub-domains...
These resolvers, therefore are acting as proxies, and use normal recursion towards the delegated subdomain servers in order to obtain the answers that they need for the clients.
Client queries, as you would expect, are non-recursive (originating from Internet resolvers) but have RD added by means of packet manipulation tools. Similarly, they are also flipping header bit settings again on the way out on the query responses.
One point (there are others - they are not for discussion here) where this design breaks is in handling CNAME chains in some circumstances.
A normal recursive resolver expects to follow a CNAME chain all the way to the final RRset and to return that, along with the CNAME chain itself, to the stub client that queried it with 'RD' set. If it cannot complete that, it will SERVFAIL. A genuine authoritative server will stop attempting to following CNAME chains if they point outside of the zones for which it is authoritative, and will fill the query response with what it has, assuming that the (resolver) client will be able to pick up and make onward queries to other servers to complete the chain.
The 'custom' resolvers in this unusual proxy configuration are only able to resolve names within the organisation's internal namespace. They cannot (and should not - recall that they are emulating authoritative servers) follow CNAMEs that point outside of their domain(s).
But there is currently no mechanism for telling named to stop trying and to return 'what it has so far' when it is configured to be a resolver, so when they encounter 'out of domain' CNAMEs, they fail.
What is wished for, is a configuration option to control this so that a resolver that is masquerading as authoritative can stop CNAME-chasing (probably on a per-domain basis) without SERVFAILing.
This is not an option that would ever be valid for a normal recursive server.
This request has been discussed with engineering - who agreed to do a technical feasibility evaluation only.