MoinQ:

DNS/BIND/CNAMEについて、ここに記述してください。

この記述をみると、CNAMEの先も返すのが正しいと考えているように読める。 -- ToshinoriMaeno 2015-10-05 15:41:00

Security Fixes 9.8.0-P4

    If named is configured to be both authoritative and resursive and receives a recursive query for a CNAME in a zone that it is authoritative for, if that CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a complete CNAME chain. [RT #24455] 

CNAME 返答の扱い

3115.   [bug]           Named could fail to return requested data when
                        following a CNAME that points into the same zone.
                        [RT #24455]

3040.   [bug]           Named failed to validate insecure zones where a node
                        with a CNAME existed between the trust anchor and the
                        top of the zone. [RT #23338]

2828.   [security]      Cached CNAME or DNAME RR could be returned to clients
                        without DNSSEC validation. [RT #20737]

2800.   [func]          Reject zones which have NS records which refer to
                        CNAMEs, DNAMEs or don't have address record (class IN
                        only).  Reject UPDATEs which would cause the zone
                        to fail the above checks if committed. [RT #20678]

1806.   [bug]           The resolver returned the wrong result when a CNAME /
                        DNAME was encountered when fetching glue from a
                        secure namespace. [RT #13501]