DNS Updates and CNAME Records

Kevin Darcy kcd at daimlerchrysler.com
Tue Aug 14 22:09:00 UTC 2001 

According to RFC 2136, neither REFUSED or SERVFAIL is appropriate here:
REFUSED is an explicit refusal due to security or policy reasons, and SERVFAIL
is an internal error in the nameserver. I think prerequisites are the
_correct_ way for the client to get decent feedback on bogus CNAME update
requests.


- Kevin

Waltner, Steve wrote:

> I've been doing final testing on the web based DNS editing system that I
> have been developing and ran into a little snag. I'm currently running BIND
> 8.2.3-REL, but will be upgrading to BIND 9.1.3 once I deploy the new domain
> editing system (the help desk folks are used to scaning the BIND 8 output
> after reloading a zone file to check for errors, so I was holding of on the
> upgrade to make it easier for them). The perl script I am writing uses the
> Net::DNS module to generate DNS update packets to modify a zone file and
> I've run into a small problem with handling CNAME records into the domain.
>
> When using my 8.2.3, the server will gladly insert a CNAME record when there
> is already other data, and vice-versa. It handles it fine at first,
> responding to queries and zone transfers, but if the server is restarted,
> the zone is rejected due to CNAME and other data.
>
> When using 9.1.3, the server acts like it processes the request (returns
> NOERROR to nsupdate and Net::DNS module), although the request is ignored.
> BIND logs a message saying "attempt to add non-CNAME alongside CNAME
> ignored" or "attempt to add CNAME alongside non-CNAME ignored" through
> syslog when this happens. This seems like the wrong behavior for BIND to
> have, if it responds with NOERROR, it should have honored the request.
> Shouldn't BIND ignore the whole  packet and respond with either a SERVFAIL
> or REFUSED?
>
> Right now I'm getting around this by using prerequisites, but it's a big
> hassle putting those pre-reqs in. It would be much nicer if BIND would
> return an error when you sent it one of these updates, so I wouldn't need to
> put so much extra logic in my update scripts.
>
> BTW, I will post this CGI script on http://homepage.mac.com/swaltner/dns/
> when I get a few more issues resolved.
>
> Steve

More information about the bind-users mailing list