Bad example: Chaining CNAMEs?
Peter Dambier
peter at peter-dambier.de
Tue Aug 22 08:20:45 UTC 2006
Chris De Young wrote:
> Hi,
> I was just browsing through the latest edition of the O'Reilly
> DNS/BIND book, and ran across a bit on pointing a CNAME record at
> another alias:
>
> "The answer is yes: you can chain together CNAME records. The BIND
> implementation supports it, and the RFCs don't expressly forbid it."
>
> The authors go on to recommend against it anyway, but I had always
> thought that this was actually illegal. I don't remember now where I
> had gotten that idea... I think the issue had to do with not being
> guaranteed that the server would always do the additional processing
> to ensure that you got to the canonical name at the end of the chain.
>
> I guess I've been mistaken? :-)
>
> -C
>
>
named_complained("unexpected RCODE (SERVFAIL) resolving 'image.espotting.com/A/IN': 212.118.255.95#53","Aug-21","12:21:12").
; <<>> DiG 9.4.0b1 <<>> image.espotting.com @A.GTLD-SERVERS.NET
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51370
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;image.espotting.com. IN A
;; AUTHORITY SECTION:
espotting.com. 172800 IN NS dns1.miva.com.
espotting.com. 172800 IN NS dns2.miva.com.
espotting.com. 172800 IN NS dns3.miva.com.
;; ADDITIONAL SECTION:
dns2.miva.com. 30 IN A 212.118.255.95
dns1.miva.com. 30 IN A 66.150.55.227
dns3.miva.com. 30 IN A 64.95.46.210
;; Query time: 152 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Aug 22 08:51:12 2006
;; MSG SIZE rcvd: 147
; <<>> DiG 9.4.0b1 <<>> image.espotting.com @dns1.miva.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7843
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 9
;; QUESTION SECTION:
;image.espotting.com. IN A
;; ANSWER SECTION:
image.espotting.com. 30 IN CNAME espotting.com.edgesuite.net.
espotting.com.edgesuite.net. 11782 IN CNAME a1623.g.akamai.net.
a1623.g.akamai.net. 20 IN A 64.215.169.208
a1623.g.akamai.net. 20 IN A 64.215.169.231
;; AUTHORITY SECTION:
g.akamai.net. 2650 IN NS n1g.akamai.net.
g.akamai.net. 3550 IN NS n2g.akamai.net.
g.akamai.net. 1750 IN NS n7g.akamai.net.
g.akamai.net. 1750 IN NS n3g.akamai.net.
g.akamai.net. 1750 IN NS n4g.akamai.net.
g.akamai.net. 1750 IN NS n8g.akamai.net.
g.akamai.net. 1750 IN NS n5g.akamai.net.
g.akamai.net. 1750 IN NS n0g.akamai.net.
g.akamai.net. 1750 IN NS n6g.akamai.net.
;; ADDITIONAL SECTION:
...
;; Query time: 182 msec
;; SERVER: 66.150.55.227#53(66.150.55.227)
;; WHEN: Tue Aug 22 08:52:11 2006
;; MSG SIZE rcvd: 464
; <<>> DiG 9.4.0b1 <<>> espotting.com.edgesuite.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12545
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 1
;; QUESTION SECTION:
;espotting.com.edgesuite.net. IN A
;; ANSWER SECTION:
espotting.com.edgesuite.net. 18610 IN CNAME a1623.g.akamai.net.
a1623.g.akamai.net. 20 IN A 217.6.176.34
a1623.g.akamai.net. 20 IN A 217.6.176.18
;; AUTHORITY SECTION:
g.akamai.net. 1296 IN NS n6g.akamai.net.
g.akamai.net. 1296 IN NS n7g.akamai.net.
g.akamai.net. 1296 IN NS n0g.akamai.net.
g.akamai.net. 1296 IN NS n3g.akamai.net.
g.akamai.net. 1296 IN NS n2g.akamai.net.
g.akamai.net. 1296 IN NS n1g.akamai.net.
g.akamai.net. 1296 IN NS n4g.akamai.net.
g.akamai.net. 1296 IN NS n8g.akamai.net.
g.akamai.net. 1296 IN NS n5g.akamai.net.
;; ADDITIONAL SECTION:
...
;; Query time: 166 msec
;; SERVER: 192.168.48.227#53(192.168.48.227)
;; WHEN: Tue Aug 22 09:49:31 2006
;; MSG SIZE rcvd: 284
The chain is
image.espotting.com. CNAME espotting.com.edgesuite.net.
espotting.com.edgesuite.net. CNAME a1623.g.akamai.net.
a1623.g.akamai.net. A 217.6.176.34
a1623.g.akamai.net. A 217.6.176.18
I have seen it working when I happened to have the right
things in my cache.
Just for curiousity lets try djbdbs.
; <<>> DiG 9.4.0b1 <<>> image.espotting.com @echnaton
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14370
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;image.espotting.com. IN A
;; ANSWER SECTION:
image.espotting.com. 30 IN CNAME espotting.com.edgesuite.net.
espotting.com.edgesuite.net. 21600 IN CNAME a1623.g.akamai.net.
a1623.g.akamai.net. 20 IN A 217.6.176.34
a1623.g.akamai.net. 20 IN A 217.6.176.18
;; Query time: 1442 msec
;; SERVER: 192.168.208.228#53(192.168.208.228)
;; WHEN: Tue Aug 22 10:12:55 2006
;; MSG SIZE rcvd: 139
Yes it did find the answer, but I have patched it to follow CNAMEs. Bernstein
says the patch is bad.
Query time: 1442 msec is bad. A little longer and libresolv would try other
nameservers. That is producing unnecessary traffic on the dnsservers.
A little longer and the browser would giveup anyway - if the user had not
already given up.
Kind regards
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the bind-users
mailing list