handling out-of-bailiwick CNAME chains from authoritative servers
Some servers incorrectly answer like this:
$ kdig @2a02:4a8:ac24:100::96:2 www.rozpocetverejne.cz.
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 41711
;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.rozpocetverejne.cz. IN A
;; ANSWER SECTION:
www.rozpocetverejne.cz. 600 IN CNAME ghs.google.com.
;; AUTHORITY SECTION:
google.com. 3600 IN SOA alfa.ns.active24.cz. hostmaster.active24.cz. 2017042405 10800 1800 1209600 3600
;; Received 132 B
;; Time 2017-07-28 10:26:52 CEST
;; From 2a02:4a8:ac24:100::96:2@53(UDP) in 5.3 ms
That claims two wrong things: that the server is authoritative for google.com and that name ghs.google.com doesn't exist. (For RCODE meaning with CNAMEs see https://tools.ietf.org/html/rfc6604#section-3) We found multiple instances of this, e.g. also from wedos: www.silvidesign.cz.
Kresd currently SERVFAILs on this (validation); it would be better to use the in-bailiwick information (the CNAME) and discard the rest of the information, even in this case.