Chaining CNAMEs?

Kevin Darcy kcd at daimlerchrysler.com
Tue Aug 22 16:10:44 UTC 2006 

Mark Andrews wrote:
>> Chris De Young wrote:
>>     
>>> Hi,
>>> I was just browsing through the latest edition of the O'Reilly
>>> DNS/BIND book, and ran across a bit on pointing a CNAME record at
>>> another alias:
>>>
>>> "The answer is yes: you can chain together CNAME records. The BIND
>>> implementation supports it, and the RFCs don't expressly forbid it."
>>>
>>> The authors go on to recommend against it anyway, but I had always
>>> thought that this was actually illegal.  I don't remember now where I
>>> had gotten that idea... I think the issue had to do with not being
>>> guaranteed that the server would always do the additional processing
>>> to ensure that you got to the canonical name at the end of the chain.
>>>
>>> I guess I've been mistaken?  :-)
>>>
>>>   
>>>       
>> RFC 1034, Section 3.6.2
>>
>> [...]
>>
>> Domain names in RRs which point at another name should always point at
>> the primary name and not the alias.  This avoids extra indirections in
>> accessing information.
>>
>> ---
>>
>> I've never understood why BIND is so liberal about this, when it's so strict 
>> about some many other things. Surely it can't be because of the "should" lang
>> uage, can it? Given the time and context in which 1034 was written, that "sho
>> uld" is to be treated as a MUST for all practical intents and purposes.
>>     
>
> 	I suggest that you read the entire paragraph.  Quotes should not
> 	be taken out of context.
>
>   
Suggestion noted and acted upon. The rest of the paragraph consists of 
a) an example of correct CNAME usage, and b) an appeal to the Robustness 
Principle. As for the Robustness Principle, I'm not saying that BIND 
should *fail* when encountering a chained CNAME from an external source. 
But it should probably reject master zone files containing chained 
CNAMEs -- that would fall under the "conservative in what you send" part 
of the Robustness Principle (data in master files are clearly "sent" 
data). Slave zone files containing chained CNAMEs? Hmmm, that's a bit of 
a gray area, since the data are both "received" and "sent" in that case.

                                                                         
                     - Kevin

More information about the bind-users mailing list