How to find ver in BIND 8.x for NT?

Mark Andrews Mark_Andrews at isc.org
Wed May 18 02:34:52 UTC 2005 

> At 7:48 PM -0400 2005-05-17, Danny Mayer wrote:
> 
> >  Because of a number of architectural issues that were finally fixed
> >  in BIND 9.3.0 and 9.2.4 I don't recommend any version of BIND
> >  earlier than those and none of the BIND 8 versions.
> 
> 	Good advice.
> 
> >                                                       BIND 9 does
> >  support round robin but I have no idea what you mean by round robin
> >  through multiple CNAME's nor why you need to use multiple CNAME's.
> 
> 	I'm not sure, but he may be talking about the same CNAME trick we 
> were using at AOL to do very crude round-robin load-balancing for 
> americaonline.aol.com (the hostname that the AOL client connects to, 
> if you bring your own access).
> 
> 	What it amounts to is a CNAME chain, with multiple CNAME records 
> at certain levels.  So, americaonline.aol.com might have multiple 
> aliases pointing to dial.internet.aol.com, dial1.internet.aol.com, 
> ... dialXXXX.internet.aol.com.  Likewise, each of the 
> dialXXXX.internet.aol.com names would have multiple CNAME records 
> pointing to 1.internet.aol.com, 2.internet.aol.com, ... 
> YYY.internet.aol.com, and the actual A records are only associated 
> with the final CNAME target.
> 
> 	The cool thing is that, when you do anything other than a CNAME 
> query for a given hostname, only one path down the CNAME chain will 
> be followed.  Just two numeric digits in the CNAME aliases for two 
> levels could give you ten thousand different final sets of target IP 
> addresses, and each final set would be relatively limited in size.
> 
> 	Anyway, we couldn't use it for mail, because you can't point MX 
> records at CNAMEs, but it worked a treat for americaonline.aol.com.
> 
> 
> 	However, I believe that this is an old trick that works under 
> BIND-8 and not under BIND-9.  IIRC, this wasn't technically illegal 
> according to the original spec and BIND-8 allowed it, but apparently 
> BIND-9 tightened up on this issue (perhaps in response to some newer 
> guidance?).

	BIND 4 allowed it.  BIND 8 tighted the issue with a switch to
	get back the BIND 4 behaviour.  BIND 9 removed the switch.

	Yes, it is illegal acording to RFC 1034.  CNAME and other
	data is illegal.  It also doesn't play well with DNSSEC.

	It was plain dumb luck that it worked at all.  The code
	assumed that there was only a single CNAME because there
	was only supposed to be one.  When RRsets started to be
	rotated by default, the CNAMES also got rotated giving this
	behaviour.  Prior to that the first CNAME loaded was returned.
 
> 	If you check the authoritative nameservers for AOL, you will find 
> that dns-01.ns.aol.com through dns-09.ns.aol.com appear to be running 
> BIND 9.2.3rc1-9.4.0a0 (according to fpdns.pl), while internet.aol.com 
> is delegated to two other nameservers (aol-23a.aol.com and 
> aol-23b.aol.com), both of which appear to be running BIND 
> 8.3.0rc1-8.4.4 (according to fpdns.pl).
> 
> 	Interestingly, these latter two machines also appear to have 
> recursion enabled.  I'll have to have a talk with the hostmaster 
> folks.
> 
> -- 
> Brad Knowles, <brad at stop.mail-abuse.org>
> 
> "Those who would give up essential Liberty, to purchase a little
> temporary Safety, deserve neither Liberty nor Safety."
> 
>      -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
>      Assembly to the Governor, November 11, 1755
> 
>    SAGE member since 1995.  See <http://www.sage.org/> for more info.
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list