CNAME lookup discrepency

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Jun 18 22:09:50 UTC 2002


> 
> I'm wondering if someone can explain the following problem.  I have two
> machines running 9.2.1, one Solaris 8 and one Linux on the same network.
> When both look up records for a poorly configured domain, one in which the
> NS records are CNAMES, the Solaris box can end up getting SERVFAIL
> responses to nameserver lookups, while the Linux box never does.
> 
> Example:
> # rndc flush
> # dig www.reyrey.com
> # dig nse2.reyrey.com
> # dig nse3.reyrey.com
> 
> In this particular sequence, the Solaris box always ends up getting a
> SERVFAIL response on the last dig, while the Linux box doesn't.  Executing
> 'rndc dumpdb' and examining the differences reveals that the Linux's dump
> file contains the corresponding A record for the second nameserver's CNAME
> record, while the Solaris box is missing that data in the dump file,
> reflecting the dig behaviour.  They were obviously compiled separately,
> but all relevent config parameters are the same and BIND 9 reportedly has
> glue fetching permanently disabled.  Any clues?
> 
> Below is an excerpt from the Linux box's dump file.  In this particular
> test, the oh15ux90.reyrey.com. entry is not present in the Solaris box's
> dump file:
> 
> ; authauthority
> reyrey.com.             86390   NS      nse2.reyrey.com.
>                         86390   NS      nse3.reyrey.com.
> ; authanswer
>                         3582    A       192.112.245.59
> ; authanswer
> mgw.reyrey.com.         86390   A       206.180.25.16
> ; glue
> NSE2.reyrey.com.        172782  A       192.112.245.229
> ; authanswer
>                         86386   CNAME   oh15ux90.reyrey.com.
> ; glue
> NSE3.reyrey.com.        172782  A       206.180.25.16
> ; authanswer
>                         86390   CNAME   mgw.reyrey.com.
> ; authanswer
> oh15ux90.reyrey.com.    3586    A       192.112.245.229
> ; authanswer
> www.reyrey.com.         3582    CNAME   reyrey.com.
> 
> 
> I asked the administrators of the domain to change the NS records, but
> they didn't want to.  I wouldn't care, but they're a customer.
> 
> 
> -- Ian Watts
> 
> 

	NS records are not allowed to point to CNAMES records.  On
	top of it breaking the rule which says RHS should not refer
	to CNAME records.  It also breaks the breaks the algorithm
	for putting glue records in the additional section when
	sending a referral.  Remember the glue records are supposed
	to be *copies* of those in the zone as is the NS RRset.

	No version of named follows CNAME records when looking for
	addresses of nameservers.  If you were to make another query
	for data in the zone it would fail completely as named would
	know about both CNAME records.

	You have warned them that there zone is mis-configured.  They
	will eventually learn as clients can't reach their site.
	
	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list