CNAME CHAINING

Barry Margolin barmar at bbnplanet.com
Fri Dec 31 23:36:06 UTC 1999 

In article <199912311834.NAA12073 at advdata.net>,  <wwebb at adni.net> wrote:
>Is there any legitimate reason to use CNAME chaining?
>
>Some CNAME chaining was identified in one of our zones and the 
>person who operates the name servers of a delegated sub-domain 
>advised:
>
>"We use CNAME chaining to avoid reverse DNS lookup problems. 
>For example, if a DNS query produced the following:
>
>     Server:  wolfden.emtoo.net
>     Address:  151.198.89.3
>
>     Name:    www.njwg.cap.gov
>     Address:  151.198.89.100
>
>and the reverse DNS lookup resolved as follows:
>
>     151.198.89.100 -> bsys01-4.emtoo.net
>
>name resolution problems will occur and depending on the 
>accessor, the CAP web site may be blocked from access, not 
>listed in search engines, or be listed in impropperly."
>
>I had never heard of this before and I would appreciate the groups 
>insight on this issue.

I'm not sure what this has to do with the question.  I presume that by
"CNAME chaining" you mean CNAME records that point to other CNAME records.
This is allowed, but opinions on whether it's a good idea differ.  The main
argument against it, I think, is the inefficiency of having to do all those
extra CNAME queries to resolve a name.

The issue that your subdomain server operator referred to is a non-problem,
in my opinion.  In general, software doesn't start with a forward lookup
and then perform a reverse lookup to verify it.  There are many instances
where multiple names point to the same address, but there aren't
corresponding PTR records for each of them.  The normal times when
forward/reverse consistency is checked is when the application starts with
a *reverse* lookup -- this is done to prevent reverse DNS spoofing, which
could be used to trick access checking software (e.g. a hosts.allow file
might contain *.domain.com, and there's nothing stopping any reverse domain
administrator from creating a PTR record that translates his address to
something.domain.com, even though he actually has no relationship with the
domain.com domain).

I'm not sure what this has to do with CNAME "chaining", though.  Their
claim would be appropriate in an argument to use CNAMEs rather than
multiple A records that point to the same address.  And I generally advise
people to use CNAMEs whenever feasible.  However, there are a number of
cases when they aren't:

1) You can't make the zone name be a CNAME.  A delegated zone has to have
SOA and NS records, and this would violate the rule against a name having
CNAME and other records.

2) Names used in NS or MX records shouldn't be CNAME records, they must be
A records.  So either you should make the NS/MX records point to the target
of the CNAME, or change the CNAME into an A record.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list