NODATA type 3 with CNAME

James Ponder james at squish.net
Sat Aug 2 16:21:31 UTC 2008


On Sat, Aug 02, 2008 at 12:37:31PM +0000, Paul Vixie wrote:
> i believe kaminsky has shown us that no answer whose owner name does not
> match the question name, even if it appears to be within the same zone,
> should be cached.  so, at a minimum, to your question above, i say yes.
...
> and on a properly paranoid caching resolver, it takes 4 transactions to
> build the following (and in this case you can see a difference in TTLs):
> 
> ;; ANSWER SECTION:
> www.microsoft.com.      3599    IN      CNAME   toggle.www.ms.akadns.net.
> toggle.www.ms.akadns.net. 299   IN      CNAME   g.www.ms.akadns.net.
> g.www.ms.akadns.net.    299     IN      CNAME   lb1.www.ms.akadns.net.
> lb1.www.ms.akadns.net.  300     IN      A       207.46.19.254
> lb1.www.ms.akadns.net.  300     IN      A       207.46.192.254
> lb1.www.ms.akadns.net.  300     IN      A       207.46.193.254
> lb1.www.ms.akadns.net.  300     IN      A       207.46.19.190
> lb1.www.ms.akadns.net.  300     IN      A       65.55.21.250

That's a nice case, thanks for pointing it out.

Unless I'm mistaken (using tcpdump) bind (9.5.0-P1) does this in 3
transactions:
1. initial query for www.microsoft.com stopping at the CNAME toggle
2. query for toggle from akadns.net nameservers, stopping at lb1
3. query for lb1

It appears to process the two CNAMEs on akadns.net together, so there's
never a request relating to g.www.ms.akadns.net.

I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it
asked about toggle.www.ms.akadns.net and yet not accept the A records
for lb1.www.ms.akadns.net at the same time?

I'm also not seeing the rationale behind not accepting the whole chain
from toggle down to the A records - we know we're talking to the
akadns.net authoritative nameserver after all.  Isn't it being overly
paranoid rather than properly paranoid?

Thanks for your help.

James


More information about the bind-users mailing list