Why two lookups for a CNAME?

Mark Andrews marka at isc.org
Wed Oct 21 21:01:17 UTC 2015 

To prevent cache poisoning via cnames.  It it simpler to always
lookup the target of the cname that to figure out if we would
accepted the following data.

server A has zones foo.example and bar.example configured
server B has zone bar.example configured

bar.example is only delegated to server B of the two server above.

The is a cname from www.foo.example -> www.bar.example

Server A return a complete answer but the www.bar.example data is
from the wrong zone instance.  This happens accidentally in real
life.

Mark

In message <1401468033.15948.1445459552099.JavaMail.vpopmail at atl4oxapp02pod1.mg
t.hosting.qts.netsol.com>, Steve Arntzen writes:
> 
> I'm sure there's a good, simple reason for this, I just can't seem to find th
> e
> answer searching on the Internet.
> 
> 
> Why does named perform a lookup for the A record when its IP is returned with
> the CNAME in the first answer?
> 
> 
> Using dig, I find play.google.com is a CNAME for play.l.google.com.
> 
> 
> When asked to resolve it, named will first look for play.google.com.  The res
> ult
> will include the CNAME and the IP of the A record.
> 
> 
> Named then makes a second request to resolve the A record.
> 
> 
> Thanks in advance,
> 
> 
> Steve.
> ------=_Part_15947_1241356502.1445459552087
> MIME-Version: 1.0
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: 7bit
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/T
> R/xhtml1/DTD/xhtml1-strict.dtd">
> 
> <html xmlns="http://www.w3.org/1999/xhtml"><head>
>     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
>  </head><body><p>I'm sure there's a good, simple reason for this, I j
> ust can't seem to find the answer searching on the Internet.</p><p><br></
> p><p>Why does named perform a lookup for the A record when its IP is returned
>  with the CNAME in the first answer?</p><p><br></p><p>Using dig, I find play.
> google.com is a CNAME for play.l.google.com.</p><p><br></p><p>When asked to r
> esolve it, named will first look for play.google.com.  The result will i
> nclude the CNAME and the IP of the A record.</p><p><br></p><p>Named then make
> s a second request to resolve the A record.</p><p><br></p><p>Thanks in advanc
> e,</p><p><br></p><p>Steve.</p></body></html>
> ------=_Part_15947_1241356502.1445459552087--
> 
> --===============7115022951714415033==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7115022951714415033==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list