[bind10-dev] should b10-auth return CNAME chain?

[Jerry Scharf]

This is all said with my operations mindset firmly in place.

My main reason for continuing to do this is to not hurt a service in 
terms of extra queries and user latency. I doubt the cost of chasing the 
chain is more than the cost of handling another query to lookup the 
chain and there is no question about the latency.

For any case where we can say "modern resolvers/recursers don't trust 
the chain and do the query anyways" I would think it is fine to drop the 
chain. A smaller packet is cheaper on all if the chain is ignored.

I think the out of zone case (case #2) meets this criteria but am not 
sure. Do we have a solid feel for whether the in-zone case meets this 
criteria?

As for Mark's point, I am not looking at what the resolver should do. I 
am looking at what the auth server should answer with. This is the point 
of the discussion. In the case that there is a zone cut, I think this 
falls into case 2.

Then again, if you design your service to use a CNAME in the parent and 
the result in a child, you are making trust statements about both zones 
and the poisoning case is hard to press. It's not so dissimilar from my 
argument that if a.example.com CNAME b.example.com with both in the same 
zone, poisoning is not an issue. If your nameserver has been 
compromised, you are in seriously bad shape and chasing vs. not chasing 
a CNAME is not the issue.

I think that any change to the resolver policy for this should probably 
be controlled with a configuration parameter so people can have their 
old mode with the accepted risk.

jerry