<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head><body><p>Makes sense. Better safe than sorry.</p><p><br></p><p>Thanks,</p><p><br></p><p>Steve.</p><p><br></p><blockquote type="cite"><p>On October 21, 2015 at 4:01 PM Mark Andrews <marka@isc.org> wrote:<br><br><br><br>To prevent cache poisoning via cnames. It it simpler to always<br>lookup the target of the cname that to figure out if we would<br>accepted the following data.<br><br>server A has zones foo.example and bar.example configured<br>server B has zone bar.example configured<br><br>bar.example is only delegated to server B of the two server above.<br><br>The is a cname from www.foo.example -> www.bar.example<br><br>Server A return a complete answer but the www.bar.example data is<br>from the wrong zone instance. This happens accidentally in real<br>life.<br><br>Mark<br><br>In message <1401468033.15948.1445459552099.JavaMail.vpopmail@atl4oxapp02pod1.mg<br>t.hosting.qts.netsol.com>, Steve Arntzen writes:<br>> <br>> I'm sure there's a good, simple reason for this, I just can't seem to find th<br>> e<br>> answer searching on the Internet.<br>> <br>> <br>> Why does named perform a lookup for the A record when its IP is returned with<br>> the CNAME in the first answer?<br>> <br>> <br>> Using dig, I find play.google.com is a CNAME for play.l.google.com.<br>> <br>> <br>> When asked to resolve it, named will first look for play.google.com. The res<br>> ult<br>> will include the CNAME and the IP of the A record.<br>> <br>> <br>> Named then makes a second request to resolve the A record.<br>> <br>> <br>> Thanks in advance,<br>> <br>> <br>> Steve.<br>> ------=_Part_15947_1241356502.1445459552087<br>> MIME-Version: 1.0<br>> Content-Type: text/html; charset=UTF-8<br>> Content-Transfer-Encoding: 7bit<br>> <br>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/T<br>> R/xhtml1/DTD/xhtml1-strict.dtd"><br>> <br>> <html xmlns="http://www.w3.org/1999/xhtml"><head><br>> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><br>> </head><body><p>I'm sure there's a good, simple reason for this, I j<br>> ust can't seem to find the answer searching on the Internet.</p><p><br></<br>> p><p>Why does named perform a lookup for the A record when its IP is returned<br>> with the CNAME in the first answer?</p><p><br></p><p>Using dig, I find play.<br>> google.com is a CNAME for play.l.google.com.</p><p><br></p><p>When asked to r<br>> esolve it, named will first look for play.google.com. The result will i<br>> nclude the CNAME and the IP of the A record.</p><p><br></p><p>Named then make<br>> s a second request to resolve the A record.</p><p><br></p><p>Thanks in advanc<br>> e,</p><p><br></p><p>Steve.</p></body></html><br>> ------=_Part_15947_1241356502.1445459552087--<br>> <br>> --===============7115022951714415033==<br>> Content-Type: text/plain; charset="us-ascii"<br>> MIME-Version: 1.0<br>> Content-Transfer-Encoding: 7bit<br>> Content-Disposition: inline<br>> <br>> _______________________________________________<br>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe<br>> from this list<br>> <br>> bind-users mailing list<br>> bind-users@lists.isc.org<br>> https://lists.isc.org/mailman/listinfo/bind-users<br>> --===============7115022951714415033==--<br>-- <br>Mark Andrews, ISC<br>1 Seymour St., Dundas Valley, NSW 2117, Australia<br>PHONE: +61 2 9871 4742 INTERNET: marka@isc.org<br></p></blockquote></body></html>