bind-9.2.0 - a slight oddity with CNAMEs / additional-from-cache

Ted_Rule at flextech.co.uk Ted_Rule at flextech.co.uk
Thu Jun 6 16:22:38 UTC 2002




Whilst chasing down the source of some "query (cache) denied" syslog messages on
a bind-9.2.0 server, I noticed what at first sight seems to be an oddity with
CNAME handling
when additional-from-cache is disabled.

With these global options in place:

        recursion no;
        additional-from-auth yes; // Yes == Default
        additional-from-cache no; // Yes == Default

        allow-query { any; };


I can query for a CNAME where the local server is auth, but the RDATA of the
CNAME
belongs to another server. The curiousity is that a normal dig returns REFUSED,
whereas
a non-recursive dig returns just the CNAME record. I had expected that both
queries
would return the same CNAME only result. Whilst this doesn't cause a problem for
 normal operations,
as properly delegated queries are all non-recursive, it seems one might
occasionally
be confused whilst performing manual diagnostics in this manner.

When making the same type of recursive query for a CNAME whose RDATA corresponds
to a zone loaded on the same server, the full answer/auth/additional sections
are returned,
as expected.

The final oddity with this is that the REFUSED replies themselves don't actually
 seem to
correspond to any security or query category logging - my original "query
(cache) denied" messages
seemingly corresponded to another problem. The query is logged, but there
doesn't appear
to be any other log indicating a problem with the query.

The bind-9.2.0 ARM mentions what happens when a non-recursive query for
something
in the cache is REFUSED when the additional-from-cache setting is set to no, but
 there's
no explicit reference I can find to the behaviour for a recursive query for a
CNAME.

I would guess- though I haven't tested it - that similar oddities might occur
with DNAME chains.

Is all of the above to be expected, or is 9.2.0 slightly misbehaving here?

Sample digs for the various cases shown below.


Ted




$ dig @ns.flextech.co.uk www.ukplay.co.uk  +recurse

; <<>> DiG 8.2 <<>> @ns.flextech.co.uk www.ukplay.co.uk +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57186
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.ukplay.co.uk, type = A, class = IN

;; Total query time: 1 msec
;; FROM: magomo to SERVER: ns.flextech.co.uk  195.188.171.2
;; WHEN: Thu Jun  6 16:48:48 2002
;; MSG SIZE  sent: 34  rcvd: 34

$ dig @ns.flextech.co.uk www.ukplay.co.uk  +norecurse

; <<>> DiG 8.2 <<>> @ns.flextech.co.uk www.ukplay.co.uk +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26030
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.ukplay.co.uk, type = A, class = IN

;; ANSWER SECTION:
www.ukplay.co.uk.       1H IN CNAME     www.playuk.tv.

;; Total query time: 1 msec
;; FROM: magomo to SERVER: ns.flextech.co.uk  195.188.171.2
;; WHEN: Thu Jun  6 16:48:51 2002
;; MSG SIZE  sent: 34  rcvd: 61


$ dig @ns.flextech.co.uk www.challengetv.com  +recurse

; <<>> DiG 8.2 <<>> @ns.flextech.co.uk www.challengetv.com +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14312
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.challengetv.com, type = A, class = IN

;; ANSWER SECTION:
www.challengetv.com.    1D IN CNAME     www.challengetv.co.uk.
www.challengetv.co.uk.  1D IN A         195.188.171.15

;; AUTHORITY SECTION:
challengetv.co.uk.      1D IN NS        ns1.netnames.net.
challengetv.co.uk.      1D IN NS        ns.flextech.co.uk.

;; ADDITIONAL SECTION:
ns.flextech.co.uk.      1D IN A         195.188.171.2

;; Total query time: 2 msec
;; FROM: magomo to SERVER: ns.flextech.co.uk  195.188.171.2
;; WHEN: Thu Jun  6 16:49:08 2002
;; MSG SIZE  sent: 37  rcvd: 160


$ dig @ns.flextech.co.uk www.challengetv.com  +norecurse

; <<>> DiG 8.2 <<>> @ns.flextech.co.uk www.challengetv.com +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45114
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.challengetv.com, type = A, class = IN

;; ANSWER SECTION:
www.challengetv.com.    1D IN CNAME     www.challengetv.co.uk.
www.challengetv.co.uk.  1D IN A         195.188.171.15

;; AUTHORITY SECTION:
challengetv.co.uk.      1D IN NS        ns1.netnames.net.
challengetv.co.uk.      1D IN NS        ns.flextech.co.uk.

;; ADDITIONAL SECTION:
ns.flextech.co.uk.      1D IN A         195.188.171.2

;; Total query time: 2 msec
;; FROM: magomo to SERVER: ns.flextech.co.uk  195.188.171.2
;; WHEN: Thu Jun  6 16:49:11 2002
;; MSG SIZE  sent: 37  rcvd: 160

$






***************************************************************************************************

This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.

If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.

If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.

***************************************************************************************************



More information about the bind-workers mailing list