Allow Multiple-Cnames in BIND 9

Joseph S D Yao jsdy at center.osis.gov
Sat Dec 1 02:51:21 UTC 2001


On Fri, Nov 30, 2001 at 05:50:46PM -0800, Doug Barton wrote:
> 
> On Fri, 30 Nov 2001, Jim Reid wrote:
...
> > That's as may be. But RFC1034 could hardly be any clearer about
> > multiple CNAMEs:
> >
> >     If a CNAME RR is present at a node, no other data should be present
> 
> 	And the traditional response to your traditional response is that
> a second CNAME doesn't constitute "other data," since it's the same RR
> type. Whether that's true or not is open to debate, but there are some of
> us who don't think it's cut and dry.

Then how about RFC 2181, "Clarifications to the DNS Specification."?

"10.1. CNAME resource records

   The DNS CNAME ("canonical name") record exists to provide the
   canonical name associated with an alias name.  There may be only one
   such canonical name for any one alias.  That name should generally be
   a name that exists elsewhere in the DNS, though there are some rare
   applications for aliases with the accompanying canonical name
   undefined in the DNS.  An alias name (label of a CNAME record) may,
   if DNSSEC is in use, have SIG, NXT, and KEY RRs, but may have no
   other data.  That is, for any label in the DNS (any domain name)
   exactly one of the following is true:

     + one CNAME record exists, optionally accompanied by SIG, NXT, and
       KEY RRs,
     + one or more records exist, none being CNAME records,
     + the name exists, but has no associated RRs of any type,
     + the name does not exist at all."

> 	To try and lead the conversation down a more productive route, we
> occasionally get complaints from end users who are stuck behind really
> old/broken resolvers that don't handle the truncated bit properly, thereby
> preventing them from resolving addresses for hosts whose A RR set is too
> large to fit into a UDP packet. One thing we've considered is patching
> BIND to always return some random subset of the possible A records that
> will fit into a UDP packet... any comments on the pro's or con's of that
> approach? Does anyone have a working model that I could crib from? :)

Ideally, one might upgrade the resolver.  ;-)  This also happens when
folks block all UDP without putting in a DNS proxy.

I think some folks have multiple name servers, any one of which will
only provide a subset of the A records.  Would that concept help you?

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.


More information about the bind-users mailing list