Many A-records

Jonathan de Boyne Pollard J.deBoynePollard at Tesco.NET
Thu Apr 8 10:16:33 UTC 2004 

JL> Every time you create a CNAME where you could have used an A
JL> record you create a situation where every resolver looking 
JL> for your service must do two lookups instead of one.  

BM> Unless the server is authoritative for both the CNAME record 
BM> and its target.  In that case the server will return both 
BM> records, [...]

If the first client-side aliase leads out of the server's bailiwick, then 
the resolving proxy DNS server _still_ needs to perform further lookups, 
because the second alias in the chain will be discarded as poison.

The classic example is the response from one of the "openwatcom.com." 
content DNS servers to an "A" query for "www.openwatcom.com.":

    [207.234.248.200:0035] -> [0.0.0.0:0000] 143
    Header: 0001 1+3+2+0, R, AUTH, query, no_error
    Question: www.openwatcom.com. IN A
    Answer: www.openwatcom.com. IN CNAME 7200 www.openwatcom.org.
    Answer: www.openwatcom.org. IN CNAME 7200 openwatcom.org.
    Answer: openwatcom.org. IN A 7200 69.0.238.41
    Authority: openwatcom.org. IN NS 7200 ns1.zoneedit.com.
    Authority: openwatcom.org. IN NS 7200 ns2.zoneedit.com.

The "www.openwatcom.org." client-side alias and the "openwatcom.org." 
"A" resource record set and partial delegation data are all out of 
bailiwick (because the bailiwick is "openwatcom.com.") and are discarded 
as poison.  The resolving proxy DNS server has to make further queries 
to look up "www.openwatcom.org.".

It's worth noting that the most common rationale that people give for using
client-side aliases is to deal with the case where a domain name is an alias 
for another domain name at a wholly different point in the namespace tree; 
but that that situation is also where this sort of out of bailiwick aliasing 
is most likely to occur, too.

It's also worth noting, as an aside, that, whilst BIND will provide the 
complete alias chain (if it has it in its database) in its response, some 
other content DNS server softwares do not.  (BIND even contains a bodge to 
try to cope with such responses.  Strictly speaking, according to RFC 2308, 
such responses are "lame" self-delegation responses, and BIND is free to
treat servers that provide such truncated alias chains as "lame".)  As I 
said before, one reason to avoid client-side aliases is that several DNS 
server softwares (both proxy and content) don't deal with them at all well.

More information about the bind-users mailing list