CNAME Rules
Srinivas Krishnan
shrin.krishnan at gmail.com
Mon Jun 25 21:56:51 UTC 2012
Mark,
Is the first parsing step over both Answer and Additional sections, I was under the impression that "Named" parses the response into RRSets from the Answer section and if there is a CNAME chain both within the same zone it follows the chain as well. But no additional sections are checked for CNAMEs. Is that correct ?
-srinivas
On Monday, June 25, 2012 5:53:04 PM UTC-4, Mark Andrews wrote:
> In message <CA+zrinE1sHkojS1fCNdcgZtF-+QQrTkqmRcfXZ1kUiBr=SQr9w at mail.gmail.com>
> , Srinivas Krishnan writes:
> > The RFC rules on CNAMEs is fairly tight but I am seeing an increasing
> > amount of traffic with misconfigured CNAMEs some of which are accepted
> > by BIND as valid responses. The examples capture three trends, note
> > these are actual responses:
>
> Named first parses the response to extract the records into
> RRsets. Responses with multiple CNAMES are detected at
> this point and get rejected. Named then tries to interpet
> the parsed message and once it has seen the CNAME and
> associated RRSIGs it stops processing the result and issues
> a new query for the target of the CNAME. This is done to
> stop the cache being poisoned.
>
> > 1) Example-1: CNAME in the additional section necessary to finish
> > processing of response. BIND accepts this as valid:
> >
> > proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7
> > nscount=6 arcount=7
> > query: after12.failblog.org. A IN
> > answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.c
> > om.
> > answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123
> > nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com.
> > nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com.
> > additional: chzallnighter.wordpress.com. CNAME IN TTL=300
> > vip-lb.wordpress.com.
> > additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14
> > additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137
> >
> > 2) Example-2: Multiple CNAMEs with same label but different data, BIND
> > finds this to be incorrect and retries if another nameserver is
> > available:
> >
> >
> > proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13
> > query: image.dhgate.com. A IN
> > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net.
> > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com.
> > nameserver: . NS IN TTL=518400 a.root-servers.net.
> > nameserver: . NS IN TTL=518400 b.root-servers.net.
> > nameserver: . NS IN TTL=518400 c.root-servers.net.
> >
> > 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to
> > be incorrect as well and retries.
> >
> > proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2
> > nscount=3 arcount=3
> > query: www.smilebox.com. A IN
> > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
> > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
> > nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com.
> > nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com.
> > nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com.
> > additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8
> > additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52
> > additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101
> >
> >
> > My question really what are the rules governing CNAME processing in
> > BIND and why does Example-1 allowed as valid.
> >
> >
> > -srinivas
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> > from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list