CNAME and other data -vs- could not find NS and/or SOA records
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jun 4 03:32:57 UTC 2004
phil-news-nospam at ipal.net wrote:
>On Wed, 02 Jun 2004 17:13:19 -0400 Kevin Darcy <kcd at daimlerchrysler.com> wrote:
>
>| That's ridiculous. You want to special-case SOA and NS records? You want
>| to selectively disable aliasing for SOA and NS? But what if I *want* to
>| alias an SOA or NS record? What if I'm doing that today? You've just
>
>If you have figured out how to do that today, then why not just say how
>you are doing it and we can end this thread as "problem solved". If I'm
>to believe others here, you can't be doing that, anyway.
>
Perhaps I was not entirely clear. One uses CNAMEs to alias *names*. If
the target of the alias happens to own an SOA record, then effectively
you have aliased that SOA record (along with any other records it
happens to own). For instance, www.foo.com could (if it is not a zone
apex) be an alias for bar.com. bar.com could (and probably would, since
it's an SLD) own an SOA record. So if anyone queried www.foo.com/SOA,
they'd get the SOA of bar.com in the response. Voila! One has "aliased
an SOA record". Somehow I think that's not what you're looking for.
However, it's something people do, and the change you are proposing
might break it. If so, you have a huge acceptance/deployment obstacle to
overcome.
>| taken away functionality that people might be relying on. You'll never
>| get that deployed unless you extend the protocol with some sort of
>| "versioning" functionality so a client and server can agree to use the
>| "Phil Howard" semantics instead of the normal ones. Good luck on that.
>|
>| If I have the time, I might
>| generalize my patch so that it allows CNAME with any record, and answers
>| the CNAME if specific requested records are not present, or for ANY.
>| I think that will maximize the workability.
>|
>| OK, but the stranded CNAME problems rears its ugly head again. You can't
>| guarantee whether a given cache has the "specific requested records
>| [...] present" or not, since any RRset can expire from the cache at any
>| given time. I suppose you could limit your new semantics to only
>| *authoritative* servers, but now you've created an inconsistency
>| problem, where caching resolvers give different answers from
>| authoritative servers for the same query. Bad juju...
>
>Since my case doesn't require the generalization, then we can drop that idea.
>That leaves the CNAME record as the only record in the zone, and we're aliasing
>even the SOA and NS records as you suggested above that you might want to use.
>So, if the authoritative server, for any query, always answers with a CNAME
>pointing to the target domain to query, what breaks?
>
Phil, here's a short quiz for you: the record "foo.com IN CNAME bar.com"
exists, and, under your proposal, foo.com also owns SOA and NS records.
bar.com also owns SOA and NS records. A query comes in for foo.com/NS.
What NS set is returned?
A) The NS set for foo.com only
B) The NS set for bar.com only
C) A combination of both sets
If your answer is (A), then I assume it's because the nameservers
involved are special-casing QTYPEs of NS and SOA, not following aliases
for them as they normally would. This of course requires a modification
to the resolution algorithm of every authoritative and caching
nameserver in existence, the logistics of which, as Jim Reid pointed
out, are quite daunting. But let's say you pull that off somehow, and
every nameserver and caching server is now running with the modified
Phil Howard algorithm. But you've still changed how DNS behaves even
when viewed from DNS *clients*, and this could easily lead to more weird
and wonderful forms of breakage. For a given DNS name sometimes aliasing
occurs, sometimes it does not; it all depends on the QTYPE, to which
some clients may not be paying close attention. And what about
QTYPE=AXFR queries? I guess they need to be a special-cased too. And
QTYPE=* queries? Do you answer (A), (B) or (C) for those? If you answer
(A) or (B), then you upend the long-settled expectation of DNS clients
that the results of a QTYPE=* query equals an amalgamation of what you
would get by querying each record type separately (at least when the
queries are made directly to an authoritative server; don't get me
started again on the whole QTYPE=* caching debate). If you answer (C)
for QTYPE=* queries (i.e. combine the results of both foo.com and
bar.com), then not only do you cause all of the problems I mention below
for the (C) answer (e.g. increasing workload and points of failure), but
you're not even being consistent within your own approach, i.e. aliasing
is disabled for SOA/NS/AXFR queries, enabled for all others, except for
QTYPE=*, where a third methodology -- amalgamation -- is used. What a
mish-mosh!
Lastly, for an (A) answer to the original quiz, consider the nasty
Dynamic Update interaction. A Dynamic Update client wants to add a
foo.com SRV record, say, where none exists previously. It goes through
the normal SOA/NS queries to identify the zone and zone master, and,
according to what it is told, believes that foo.com is the zone in which
such an update should be made. Goes to make the update, but it fails.
Why? Because even though SOA and NS can, under your scaled-down
proposal, co-exist with the foo.com CNAME, the new SRV record *cannot*.
The client goes into error recovery, issuing an SRV query of foo.com to
see if it exists (maybe it already checked that, but who knows?, someone
else may have added it in the last few milliseconds). Lo and behold,
foo.com is actually a CNAME to a name in a previously-unheard-of zone!
You need to go over _there_, knucklehead, to make the update to a
different zone and probably a different master server, unless of course
the Dynamic Update client is so confused at this point, it's sitting in
the corner and sobbing. Sure, you could say it's the client's fault --
it should have put a "foo.com NXRRSET CNAME" prereq in its first update
so that it would fail quickly and cleanly and unambiguously. But that's
not something it has to do today when updating a zone apex, so again,
you're imposing a change in behavior not only on the *infrastructure*
components of DNS, but even the *clients* of DNS, and who even knows how
many different types of Dynamic Update and other DNS-interacting clients
there are out there, which would all have to change?
If your answer to the original quiz is (B), you've basically made the
foo.com NS records "invisible". Ditto for the SOA record, since your
proposal covers both record types. They're just dead weight: no-one sees
them except perhaps in an answer to a QTYPE=AXFR or QTYPE=* query. Good
luck trying to, say, Dynamically Update a zone with invisible SOA and NS
records. Or for a slave to perform a serial-number check. At that point,
one has to ask, why even have a foo.com zone? A zone with invisible SOA
and NS records is not a zone in any meaningful sense of the term. Why
not just put a foo.com CNAME record (and any records you want to put
*under* foo.com) into the .com zone? From a protocol standpoint, that's
exactly the way to handle it. It's just that the TLD operators don't
currently allow us ordinary folks to put such records in the zones. It's
basically an administrative/political issue, then, *not* a technical
one. The protocol allows you to do what you want, but the TLD operators
forbid it. Life is tough. Perhaps you should petition to start your own TLD.
If your answer to the original quiz is (C), you have roughly doubled the
workload of servers everywhere (since they have to look at two zones and
combine the results, instead of just looking at one), and introduced
more possible points of failure for queries. Moreover, these
amalgamated/conglomerated answers will just confuse resolvers and/or
clients everywhere, which aren't expecting to get multiple RRsets in
response to a non-"meta" query (by non-"meta", I mean a QTYPE that
refers to a specific record type, as opposed to being QTYPE=*,
QTYPE=AXFR or something like that). Even if the resolver doesn't
consider such a response outright corrupt, you've raised a nasty
ambiguity over which set of records is the "real" set. Again, the
contents of SOA and NS records *matter* to things like zone-transfer and
Dynamic Update; they're not just "placeholders" at the top of a zone, as
you may be accustomed to thinking of them. Significant breakage ensues.
So, bottom line, depending on your answer to the quiz, you cause
breakage and/or the *real* solution to your problem is an administrative
rather than a technical one.
- Kevin
P.S. You've asked how and why "CNAME and other data" "worked" back in
the Bad Old Days when BIND allowed it. I think it worked
*inconsistently*: depending on the order of records in the zone file,
named would either consider the name to be a CNAME exclusively or the
CNAME would be "hidden" behind the other records. So, as you maintain
your zonefile, you could get inconsistent results from the same master
server if you ever rearranged the order of records. Even if you didn't,
since zone transfers (if they worked at all!) aren't required to
preserve record order, your slaves could respond inconsistently with
your master or between themselves. Caching nameservers then would be at
the mercy of whatever authoritative server they talked to last and for
which they still had cache entries, so they answered inconsistently too.
Is this really a state of affairs to which you wish to return?
More information about the bind-users
mailing list