CNAME lookup discrepency
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Jun 18 22:09:50 UTC 2002
>
> I'm wondering if someone can explain the following problem. I have two
> machines running 9.2.1, one Solaris 8 and one Linux on the same network.
> When both look up records for a poorly configured domain, one in which the
> NS records are CNAMES, the Solaris box can end up getting SERVFAIL
> responses to nameserver lookups, while the Linux box never does.
>
> Example:
> # rndc flush
> # dig www.reyrey.com
> # dig nse2.reyrey.com
> # dig nse3.reyrey.com
>
> In this particular sequence, the Solaris box always ends up getting a
> SERVFAIL response on the last dig, while the Linux box doesn't. Executing
> 'rndc dumpdb' and examining the differences reveals that the Linux's dump
> file contains the corresponding A record for the second nameserver's CNAME
> record, while the Solaris box is missing that data in the dump file,
> reflecting the dig behaviour. They were obviously compiled separately,
> but all relevent config parameters are the same and BIND 9 reportedly has
> glue fetching permanently disabled. Any clues?
>
> Below is an excerpt from the Linux box's dump file. In this particular
> test, the oh15ux90.reyrey.com. entry is not present in the Solaris box's
> dump file:
>
> ; authauthority
> reyrey.com. 86390 NS nse2.reyrey.com.
> 86390 NS nse3.reyrey.com.
> ; authanswer
> 3582 A 192.112.245.59
> ; authanswer
> mgw.reyrey.com. 86390 A 206.180.25.16
> ; glue
> NSE2.reyrey.com. 172782 A 192.112.245.229
> ; authanswer
> 86386 CNAME oh15ux90.reyrey.com.
> ; glue
> NSE3.reyrey.com. 172782 A 206.180.25.16
> ; authanswer
> 86390 CNAME mgw.reyrey.com.
> ; authanswer
> oh15ux90.reyrey.com. 3586 A 192.112.245.229
> ; authanswer
> www.reyrey.com. 3582 CNAME reyrey.com.
>
>
> I asked the administrators of the domain to change the NS records, but
> they didn't want to. I wouldn't care, but they're a customer.
>
>
> -- Ian Watts
>
>
NS records are not allowed to point to CNAMES records. On
top of it breaking the rule which says RHS should not refer
to CNAME records. It also breaks the breaks the algorithm
for putting glue records in the additional section when
sending a referral. Remember the glue records are supposed
to be *copies* of those in the zone as is the NS RRset.
No version of named follows CNAME records when looking for
addresses of nameservers. If you were to make another query
for data in the zone it would fail completely as named would
know about both CNAME records.
You have warned them that there zone is mis-configured. They
will eventually learn as clients can't reach their site.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list