CNAME Rules

Srinivas Krishnan shrin.krishnan at gmail.com
Mon Jun 25 21:34:09 UTC 2012


Chuck,

You are using a caching resolver to check the responses and you only see response after its been resolved by Google's DNS server. Try dig @ns1.wordpress.com after12.failblog.org. to see the actual records that you would receive if you were a DNS server performing an authoritative query to wordpress.

Is having a CNAME in the additional section regular CNAME chaining, my understanding was that additional sections do not contain CNAMEs. 

-srinivas 

On Monday, June 25, 2012 5:29:24 PM UTC-4, Chuck Swiger wrote:
> On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote:
> > The RFC rules on CNAMEs is fairly tight but I am seeing an increasing
> > amount of traffic with misconfigured CNAMEs some of which are accepted
> > by BIND as valid responses. The examples capture three trends, note
> > these are actual responses:
> > 
> > 1) Example-1: CNAME in the additional section necessary to finish
> > processing of response. BIND accepts this as valid:
> > 
> > proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7
> > nscount=6 arcount=7
> >    query: after12.failblog.org. A IN
> >    answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com.
> >    answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123
> >    nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com.
> >    nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com.
> >    additional: chzallnighter.wordpress.com. CNAME IN TTL=300
> > vip-lb.wordpress.com.
> >    additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14
> >    additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137
> 
> This is standard CNAME chaining, per RFC-1034:
> 
> % dig after12.failblog.org @8.8.8.8
> [ ... ]
> ;; QUESTION SECTION:
> ;after12.failblog.org.		IN	A
> 
> ;; ANSWER SECTION:
> after12.failblog.org.	3416	IN	CNAME	chzallnighter.wordpress.com.
> chzallnighter.wordpress.com. 116 IN	CNAME	vip-lb.wordpress.com.
> vip-lb.wordpress.com.	116	IN	A	74.200.247.187
> vip-lb.wordpress.com.	116	IN	A	76.74.255.117
> vip-lb.wordpress.com.	116	IN	A	76.74.255.123
> vip-lb.wordpress.com.	116	IN	A	72.233.104.123
> vip-lb.wordpress.com.	116	IN	A	72.233.127.217
> vip-lb.wordpress.com.	116	IN	A	74.200.247.59
> 
> > 2) Example-2: Multiple CNAMEs with same label but different data, BIND
> > finds this to be incorrect and retries if another nameserver is
> > available:
> > 
> > 
> > proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13
> >    query: image.dhgate.com. A IN
> >    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net.
> >    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com.
> >    nameserver: . NS IN TTL=518400 a.root-servers.net.
> >    nameserver: . NS IN TTL=518400 b.root-servers.net.
> >    nameserver: . NS IN TTL=518400 c.root-servers.net.
> 
> % dig image.dhgate.com @8.8.8.8
> [ ... ]
> ;; QUESTION SECTION:
> ;image.dhgate.com.		IN	A
> 
> ;; ANSWER SECTION:
> image.dhgate.com.	26	IN	CNAME	image.dhgate.com.cdn20.com.
> image.dhgate.com.cdn20.com. 29	IN	CNAME	image.dhgate.com.wscdns.com.
> image.dhgate.com.wscdns.com. 29	IN	CNAME	dhgate.com.edgesuite.net.
> dhgate.com.edgesuite.net. 1381	IN	CNAME	a1015.b.akamai.net.
> a1015.b.akamai.net.	20	IN	A	65.121.208.137
> a1015.b.akamai.net.	20	IN	A	65.121.208.120
> 
> I wonder where chinacache.net came from in your case, unless they are using
> different CDNs in different parts of the world.  Around here, they're using
> Akamai EdgeSuite.
> 
> Again, this looks to be standard CNAME chaining, only your query didn't chase
> image.dhgate.com.cdn20.com any further.
> 
> > 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to
> > be incorrect as well and retries.
> > 
> > proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2
> > nscount=3 arcount=3
> >    query: www.smilebox.com. A IN
> >    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
> >    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
> >    nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com.
> >    nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com.
> >    nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com.
> >    additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8
> >    additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52
> >    additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101
> > 
> > My question really what are the rules governing CNAME processing in
> > BIND and why does Example-1 allowed as valid.
> 
> >From here, this gets:
> 
> % dig www.smilebox.com @8.8.8.8
> [ ... ]
> ;; QUESTION SECTION:
> ;www.smilebox.com.		IN	A
> 
> ;; ANSWER SECTION:
> www.smilebox.com.	3421	IN	CNAME	www.g.smilebox.com.
> www.g.smilebox.com.	121	IN	A	216.218.214.53
> 
> ...which is a single CNAME pointing to an A record.  Are you sure your "ancount=2"
> was really two copies of the same CNAME, rather than a CNAME and A record?
> 
> Regards,
> -- 
> -Chuck



More information about the bind-users mailing list