wildcard cnames

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Apr 2 23:01:18 UTC 2002 

> In article <a8at3q$q6o at pub3.rc.vix.com>, Barry Margolin wrote:
> 
> > Multiple wildcards *are* allowed, e.g.
> > 
> > *   MX 10 mailhost.example.com.
> > *   A     1.2.3.4
> > 
> > It's only the CNAME record that makes your combination invalid.
> 
> I was wondering though, what is the opinion on wildcard CNAME records? A
> strict reading of 1034 means that they should NOT work, and in fact, in
> PowerDNS they don't.

	By *strict* interpretation you can have caching servers return
	*different* answers depending upon whether there was or was not
	a previous query for a CNAME record that matched the wildcard
	record.

	This is *bad* and really requires protocol work to clarify the
	situation.

> 
> Now, Bind does support wildcard CNAMEs and a potential customer of ours has
> a slave zone with a wildcard CNAME in it.
> 
> So we're wondering, is this something we should support. It requires
> modifying the RFC 1034 algorithm. Note how 'a.' mentions CNAME indirection
> and c. doesn't. 
> 
> 	 a. If the whole of QNAME is matched, we have found the
>             node.
> 
>             If the data at the node is a CNAME, and QTYPE doesn't
>             match CNAME, copy the CNAME RR into the answer section
>             of the response, change QNAME to the canonical name in
>             the CNAME RR, and go back to step 1.
> 
>             Otherwise, copy all RRs which match QTYPE into the
>             answer section and go to step 6.
> 
>          b. If a match would take us out of the authoritative data,
>             we have a referral.  This happens when we encounter a
>             node with NS RRs marking cuts along the bottom of a
>             zone.
> 
>             Copy the NS RRs for the subzone into the authority
>             section of the reply.  Put whatever addresses are
>             available into the additional section, using glue RRs
>             if the addresses are not available from authoritative
>             data or the cache.  Go to step 4.
> 
>          c. If at some label, a match is impossible (i.e., the
>             corresponding label does not exist), look to see if a
>             the "*" label exists.
> 
>             If the "*" label does not exist, check whether the name
>             we are looking for is the original QNAME in the query
>             or a name we have followed due to a CNAME.  If the name
>             is original, set an authoritative name error in the
>             response and exit.  Otherwise just exit.
> 
>             If the "*" label does exist, match RRs at that node
>             against QTYPE.  If any match, copy them into the answer
>             section, but set the owner of the RR to be QNAME, and
>             not the node with the "*" label.  Go to step 6.
> 
> Does anybody know of a legitimate use of wildcard CNAME records?
> 
> Regards,
> 
> bert
> 
> -- 
> http://www.PowerDNS.com/pdns  Try our new database driven nameserver! 
> http://www.tk                               the dot in .tk
> http://lartc.org            Linux Advanced Routing & Traffic Control HOWTO
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list