[bind10-dev] should b10-auth return CNAME chain?
Mark Andrews
marka at isc.org
Mon Jan 24 22:11:34 UTC 2011
In message <4D3D9F1F.7050509 at isc.org>, Jerry Scharf writes:
> Mark,
>
> If the CNAME and the A are in the same zone, how can you call it
> poisoning? If someone has control of the zone, what you get is what you
> get. I do agree that is could be better to not complete the chain when
> it is out of zone.
>
> jerry
e.g.
bar.example.net CNAME foo.example.net
foo.example.net A 1.2.3.4
zone "foo.example.net" {
type forward;
masters { .... };
};
The cache has no way to know that bar.example.net and foo.example.net are
in the same zone sans DNSSEC.
> On 1/24/2011 2:50 AM, Mark Andrews wrote:
> >
> > Returning just the CNAME and not what it points to prevents the
> > authoritative nameserver accidently poisioning caches which follow
> > such CNAME records. This forces the cache to make a additional
> > lookup.
> >
> > BIND 9 may yet stop following the chain internally when operating
> > in authoritative mode. It's been proposed several times and not
> > been outright rejected.
> >
> _______________________________________________
> bind10-dev mailing list
> bind10-dev at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind10-dev
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind10-dev
mailing list