BIND 10 #987: b10-auth should chase CNAME in the same zone

BIND 10 Development do-not-reply at isc.org
Wed Jun 1 03:44:24 UTC 2011 

#987: b10-auth should chase CNAME in the same zone
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:
  jinmei                             |                Status:  new
                       Type:         |             Milestone:  Year 3 Task
  defect                             |  Backlog
                   Priority:  major  |            Resolution:
                  Component:         |             Sensitive:  0
  b10-auth                           |           Sub-Project:  DNS
                   Keywords:         |  Estimated Difficulty:  0.0
            Defect Severity:  N/A    |           Total Hours:  0
Feature Depending on Ticket:         |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by each):

 Replying to [ticket:987 jinmei]:
 > We discussed this before, and it was open at that time.
 >
 > According to a recent incident report with BIND 9, there seems to be a
 > user who relies on getting the chain (at least from the same zone)
 > even from an authoritative server, so we should support it.

 This is not quite correct.  The issue in BIND 9 is that a server can be
 configured to be both recursive ''and'' authoritative.  If a server is
 authoritative for example.com, and receives a request for data in
 example.com from one of its recursive clients with RD set, then of course
 it should answer as a recursive server would: with a complete CNAME chain.

 But there was a bug in the interface between the BIND 9 recursive query
 code and the authoritative server code, so that the authority part didn't
 always give the full chain back to the recursive part.  If this had been
 an interaction between a recursive server and a separate authoritative
 server, then the recursive server would simply have sent another query for
 the target name, and assembled the CNAME chain that way.  (In fact, it
 would probably do this even if it ''had'' received a complete CNAME chain
 from the authority server, as the authoritative response isn't necessarily
 trustworthy for the target name.)  But, as this particular recursive
 server was querying ''itself'', it assumed it had received all the
 information the authoritative server had, and it returned a broken chain.

 What BIND 10 needs to do is ensure that a recursive (RD=1) request gets a
 complete chain.  RD=0 requests don't need to.  There may be a slight
 performance benefit to providing one when possible, but there are costs in
 security and complexity that IMHO outweigh it.

-- 
Ticket URL: <http://bind10.isc.org/ticket/987#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list