[bind10-dev] should b10-auth return CNAME chain?
Stephen Morris
stephen at isc.org
Mon Jan 24 08:54:41 UTC 2011
On 22 Jan 2011, at 05:50, JINMEI Tatuya / 神明達哉 wrote:
> Evan raised an issue about how our authoritative server (b10-auth)
> should handle CNAMEs: http://bind10.isc.org/ticket/504#comment:12
> I think it's a discussion topic for wider audiences and I'd like to
> solicit opinions here.
> :
> BIND 9 returns the A RR in both cases 1 and 2, and returns it whether
> or not the target zone is signed. As far as I know, NSD behaves that
> way, too.
>
> We are now thinking about taking a different approach: don't return
> any chain after CNAME and always have the resolver follow it
> explicitly. Do it at least the target zone isn't signed, and probably
> keep the same behavior even for signed zones.
>
> I have some more detailed points about this topic, but I'll stop here
> for now so that this message won't be too long. For now, I'd like to
> know whether this generally sounds like a good or bad idea, and
> especially if there's a case where this behavior breaks an existing
> (recursive) resolver. From my quick experiments, it should work with
> BIND 9, unbound, pdns recursor.
My initial reaction is that using the principle of least astonishment, BIND-10 should do what BIND-9 does and return the entire chain as well.
The questions I have are (a) why the behaviour should change and (b) what benefit does it confer on users of the system.
Stephen
More information about the bind10-dev
mailing list