Problem with cname target pointing to wildcard A record

Carl Byington carl at five-ten-sg.com
Tue Aug 22 17:43:53 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If we do

dig 1.2.3.4.blackholes.five-ten-sg.com a

we should get both a CNAME record, and the resulting A record, from any of
the authoratative dns servers, or from any dns server that will do
recursion for us. At least that is my understanding of correct operation.

1.2.3.4.blackholes.five-ten-sg.com. 86400 IN CNAME
4.3.208.65.dsl-verizon.net.misc.spam.blackholes.five-ten-sg.com.

4.3.208.65.dsl-verizon.net.misc.spam.blackholes.five-ten-sg.com. 864000
IN A 127.0.0.2

That A record is actually a wildcard
*.misc.spam.blackholes.five-ten-sg.com

This works on all the BIND servers, but is currently failing on some
authoratative Windows dns servers. In particular, if you try that dig
above on ns2.five-ten-sg.com, it only returns the CNAME record.

If the target of the CNAME is not a wildcard, it seems to work
properly.

dig 1.2.14.58.blackholes.five-ten-sg.com a @ns2.five-ten-sg.com

returns both the CNAME and the A record, since 'china.spam' is not a
wildcard.

Is there any known workaround for this on Windows, or is this difference
between BIND and Windows dns allowed by the dns spec?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFE60JCL6j7milTFsERAjvvAJ99W7H7SGU6VtF7GvNIQkT8KVbCxgCghljC
x8vEIJ74KKg3wT6VUaJeg2c=
=S+qT
-----END PGP SIGNATURE-----




More information about the bind-users mailing list