CNAME Rules

Mark Andrews marka at isc.org
Mon Jun 25 21:53:04 UTC 2012


In message <CA+zrinE1sHkojS1fCNdcgZtF-+QQrTkqmRcfXZ1kUiBr=SQr9w at mail.gmail.com>
, Srinivas Krishnan writes:
> The RFC rules on CNAMEs is fairly tight but I am seeing an increasing
> amount of traffic with misconfigured CNAMEs some of which are accepted
> by BIND as valid responses. The examples capture three trends, note
> these are actual responses:

	Named first parses the response to extract the records into
	RRsets.  Responses with multiple CNAMES are detected at
	this point and get rejected.  Named then tries to interpet
	the parsed message and once it has seen the CNAME and
	associated RRSIGs it stops processing the result and issues
	a new query for the target of the CNAME.  This is done to
	stop the cache being poisoned.

> 1) Example-1: CNAME in the additional section necessary to finish
> processing of response. BIND accepts this as valid:
> 
> proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7
> nscount=6 arcount=7
>     query: after12.failblog.org. A IN
>     answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.c
> om.
>     answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123
>     nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com.
>     nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com.
>     additional: chzallnighter.wordpress.com. CNAME IN TTL=300
> vip-lb.wordpress.com.
>     additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14
>     additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137
> 
> 2) Example-2: Multiple CNAMEs with same label but different data, BIND
> finds this to be incorrect and retries if another nameserver is
> available:
> 
> 
> proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13
>     query: image.dhgate.com. A IN
>     answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net.
>     answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com.
>     nameserver: . NS IN TTL=518400 a.root-servers.net.
>     nameserver: . NS IN TTL=518400 b.root-servers.net.
>     nameserver: . NS IN TTL=518400 c.root-servers.net.
> 
> 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to
> be incorrect as well and retries.
> 
> proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2
> nscount=3 arcount=3
>     query: www.smilebox.com. A IN
>     answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
>     answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
>     nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com.
>     nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com.
>     nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com.
>     additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8
>     additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52
>     additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101
> 
> 
> My question really what are the rules governing CNAME processing in
> BIND and why does Example-1 allowed as valid.
> 
> 
> -srinivas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list