DNS alias found where canonical name expected errors...

Sat Apr 14 23:40:11 UTC 2001

> 
> Hey guys, I know this question was asked and answered before but I'm
> still having problems with looking up machine names that have chains of
> CNAMEs. I'm running BIND 8.2.3 with the following options (from
> /etc/named.conf):
> 
> options {
> 	check-names master ignore;
> 	check-names slave ignore;
> 	check-names response ignore;
> 
> 	pid-file "/var/run/named.pid";
> 	directory "/etc/namedb";
> 	/*
> 	 * If there is a firewall between you and nameservers you want
> 	 * to talk to, you might need to uncomment the query-source
> 	 * directive below.  Previous versions of BIND always asked
> 	 * questions using port 53, but BIND 8.1 uses an unprivileged
> 	 * port by default.
> 	 */
> 	// query-source address * port 53;
> 
> 	listen-on { 127.0.0.1; };
> 
> 	multiple-cnames yes;  // allow chains of CNAMEs right????????

	No.  This option is to allow the following illegal configuration.

	foo.example.com.  CNAME  alias1
	foo.example.com.  CNAME  alias2

> };
> 
> Now if BIND runs across an illegal setup, like the following:

	CNAME chains are discouraged, they are not illegal.

> 
> % dig -t a www.cs.jhu.edu
> 
> ; <<>> DiG 8.2 <<>> -t www.cs.jhu.edu 
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
> ;; QUERY SECTION:
> ;;	www.cs.jhu.edu, type = A, class = IN
> 
> ;; ANSWER SECTION:
> www.cs.jhu.edu.		2h2m38s IN CNAME  condor.cs.jhu.edu.
> condor.cs.jhu.edu.	1h40m20s IN CNAME  web.cs.jhu.edu.
> web.cs.jhu.edu.		1h40m20s IN A	128.220.13.101
> 
> ;; AUTHORITY SECTION:
> cs.jhu.edu.		1D IN NS	RacerX.mse.jhu.edu.
> cs.jhu.edu.		1D IN NS	rio-grande.pha.jhu.edu.
> cs.jhu.edu.		1D IN NS	blaze.cs.jhu.edu.
> cs.jhu.edu.		1D IN NS	hops.cs.jhu.edu.
> 
> ;; ADDITIONAL SECTION:
> RacerX.mse.jhu.edu.	7m2s IN A	128.220.8.2
> rio-grande.pha.jhu.edu.  6d19h31m7s IN A  128.220.26.134
> blaze.cs.jhu.edu.	1D IN A		128.220.13.50
> hops.cs.jhu.edu.	1D IN A		128.220.223.10
> 
> ;; Total query time: 1 msec
> ;; FROM: ice13.cnds.jhu.edu to SERVER: default -- 128.220.221.1
> ;; WHEN: Sat Apr 14 14:53:32 2001
> ;; MSG SIZE  sent: 32  rcvd: 244
> 
> And a client process requests a lookup of www.cs.jhu.edu, will BIND
> respond with an error saying something along the lines of "CNAME found
> where canonical name expected" or will it just follow the chain of
> CNAMEs until it gets to the A record?

	The nameserver will follow the CNAME chain if the query
	has RD set (recursion desired) and the server supplies
	recursive services to this client, RA (recursion available)
	will be set in the answer.  Note: RD and RA are set above.

> 
> nslookup has no problem:
> 
> % nslookup www.cs.jhu.edu
> Server:  localhost
> Address:  127.0.0.1
> 
> Non-authoritative answer:
> Name:    web.cs.jhu.edu
> Address:  128.220.13.101
> Aliases:  www.cs.jhu.edu, condor.cs.jhu.edu
> 
> So is BIND doing the work for nslookup or is it making multiple requests
> when it gets an error back from BIND?

	Nslookup makes recursive queries by default.

> 
> For my client library I'm using libadns. For those of you who know adns
> I'm making the following query:
> 
> <LIBADNS SPECIFIC>
> 
>   if ((err = adns_synchronous(my_adns_state, "www.cs.jhu.edu", adns_r_a,
>                               adns_qf_cname_loose, &answer)) != 0)
>     exit(fprintf(stderr, "adns_synchronous failed: %s\n",
> strerror(err)));
> 
>   if (answer->status != 0)
>     exit(fprintf(stderr, "query failure: %s\n",
> adns_strerror(answer->status)));
> 
> Which prints out the following error:
> 
> query failure: DNS alias found where canonical name wanted
> 
> adnshost has the same problem:
> 
> % ./adnshost www.cs.jhu.edu
> www.cs.jhu.edu CNAME condor.cs.jhu.edu
> Error during DNS A lookup for www.cs.jhu.edu: DNS alias found where
> canonical name wanted
> 
> This implies to me that BIND is either responding with a CNAME chain
> error or that adns is making multiple queries for the A record that I
> request and balks when it sees a CNAME chain. But even if the second
> case is what is happening shouldn't the adns_qf_cname_loose option allow
> this? Any ideas?

	No idea, I haven't looked at this API.

> 
> </LIBADNS SPECIFIC>
> 
> Thanks in advance,
> John
> Research Assistant
> The Center for Networking and Distributed Systems
> The Johns Hopkins University
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com