additional-from-cache and CNAME records

[Barry Margolin]

In article <cg02q6$3019$1 at sf1.isc.org>,
 Jeremie Le Hen <jeremie.le-hen at epita.fr> wrote:

> Hi,
> 
> first excuse-me for my english.
> 
> This may be a FAQ, but I did not succeed to find anything about this on
> mailing-list archives nor the FAQ.  I use Bind 9.2.3.
> 
> I have a zone with a CNAME pointing to a record which is totally
> outside my zones.  Since it is an authoritative-only name server view,
> I want to disable exposure of cached private informations so I use
> the "additional-from-cache" statement.  The problem is that when
> I disable this, the server refuses to answer to all queries concerning
> CNAME pointing outside my delegation when the resolver queries for an A
> record, while A and other CNAME records pointing into my delegation are
> still well answered.  When I re-enable it, it works like a charm.
> 
> Here is an example (zone example.com) :
> a-name		IN	A		123.123.123.123
> point-inside	IN	CNAME		a-name
> point-outside	IN	CNAME		another-name.at.another-domain.com.
> 
> 
> Whatever the value of "additional-from-cache yes", ``a-name.example.com''
> and ``point-inside.example.com'' are always answered but this is not the
> case for ``point-outside.example.com''.  But when "additional-from-cache"
> is disabled, then the latter won't be answered any longer when queried with
> an A record.  In this case, it would indeed normally answers with the CNAME
> record, despite the query is an A, AFAIK.  Unfortunatelly, I must
> explicitly ask for a CNAME here.

Isn't that what you want to happen?  You said you want to "disable 
exposure of cached private informations".  Since your server is not 
authoritative for another-domain.com, this A record would have to come 
from the cache.  So your server just responds with the CNAME record, and 
the server that's querying it is expected to follow the alias itself.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***