CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
Mark Andrews
marka at isc.org
Sun Mar 11 01:55:58 UTC 2018
While it will speed up things slightly it won’t avoid the issue as TTLs vary.
--
Mark Andrews
> On 11 Mar 2018, at 05:30, Tony Finch <dot at dotat.at> wrote:
>
> Evan Hunt <each at isc.org> wrote:
>>
>> In 9.12.1 and the other upcoming maintenance releases, we've just reverted
>> the change to validator.c that caused the problems. (That turns out to have
>> the exact same effect as your patch does.)
>
> Great, that will please my user, and I can use NTAs to work around the
> problem until then.
>
>> Apex CNAMEs are bogus, of course, but we do need to cope with them when
>> they appear. We're going to revisit this issue in 9.12.2, once we've
>> figured out how to solve the one problem without causing the other one.
>
> I have said this already so I'm at risk of being a bore, but it would be
> super cool if BIND could make use of the DS records (or PNEs) it gets in
> referrals, instead of re-fetching them during validation. It should
> provide a nice speed-up, as well as allowing the validator to avoid
> looking into insecure subtrees, which will have the side-effect of
> avoiding problems with apex CNAMEs.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
> Fisher: Easterly 6 to gale 8, increasing severe gale 9 for a time in north.
> Moderate or rough, occasionally very rough in north. Rain. Moderate or poor.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list