handling out-of-bailiwick CNAME chains from authoritative servers
Some servers incorrectly answer like this:
$ kdig @2a02:4a8:ac24:100::96:2 www.rozpocetverejne.cz. ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 41711 ;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.rozpocetverejne.cz. IN A ;; ANSWER SECTION: www.rozpocetverejne.cz. 600 IN CNAME ghs.google.com. ;; AUTHORITY SECTION: google.com. 3600 IN SOA alfa.ns.active24.cz. hostmaster.active24.cz. 2017042405 10800 1800 1209600 3600 ;; Received 132 B ;; Time 2017-07-28 10:26:52 CEST ;; From 2a02:4a8:ac24:100::96:2@53(UDP) in 5.3 ms
That claims two wrong things: that the server is authoritative for google.com and that name ghs.google.com doesn't exist. (For RCODE meaning with CNAMEs see https://tools.ietf.org/html/rfc6604#section-3) We found multiple instances of this, e.g. also from wedos: www.silvidesign.cz.
Kresd currently SERVFAILs on this (validation); it would be better to use the in-bailiwick information (the CNAME) and discard the rest of the information, even in this case.