NODATA type 3 with CNAME
Paul Vixie
vixie at isc.org
Sat Aug 2 12:37:31 UTC 2008
James Ponder <james at squish.net> writes:
> I guess perhaps the problem is RFC 2308 was written in the days before
> bailiwick checks.
not at all. but baliwick used to mean "glue had to be related" and that
"authority had to be between initiator's zone cut and responder's zone cut."
> So, would you say the correct algorithm to detect a NODATA in this
> situation is to check if the value of the last CNAME is in-bailiwick or
> not? If it's in-bailiwick then it's a type 3 NODATA, if it's outside
> then the nameserver will restart the query with the traget?
i believe kaminsky has shown us that no answer whose owner name does not
match the question name, even if it appears to be within the same zone,
should be cached. so, at a minimum, to your question above, i say yes.
> Likewise, in the case of
> bailiwick bbc.co.uk, NOERROR, 2 ans, 0 auth, 0 add
> lookup news.bbc.co.uk type A
> Answer 1: news.bbc.co.uk CNAME something.else
> Answer 2: something.else CNAME news2.bbc.co.uk
>
> Would I be correct in saying a resolver should not accept this as a type
> 3 NODATA and should ignore the out-of-bailiwick second CNAME, and
> restart using the target of the first CNAME?
yes.
and on a properly paranoid caching resolver, it takes 4 transactions to
build the following (and in this case you can see a difference in TTLs):
;; ANSWER SECTION:
www.microsoft.com. 3599 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 299 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 299 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
lb1.www.ms.akadns.net. 300 IN A 65.55.21.250
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list