question about multiple CNAMEs?

Mark Andrews Mark_Andrews at isc.org
Tue Jun 26 00:29:15 UTC 2007 

> In chapter 17 of DNS & Bind, 5th ed, ph 485, it says, right under the 
> heading "Multiple CNAME Records"
> 
> Quote:
> 
>    One pathological configuration the honestly hadn't occured to
>    us [...] is multiple CNAME records attached  to the same
>    domain name. Some administrators use use this with round robin
>    to rotate between RRset. For example, the records:
> 
>         fullmonty IN CNAME fullmonty1
>         fullmonty IN CNAME fullmonty2
>         fullmonty IN CNAME fullmonty3
> 
>    can be used to return all the addresses attached to fullmonty1,
>    then all the addresses of fullmonty2, then all the addresses
>    of fullmonty3 on a nameserver that didn't recognize this as the
>    abomination it is.
> 
> 
> What I want to know is, why is this so bad? I can understand resolution 
> can take slightly longer (ask for fullmonty, get fullmonty2, ask for 
> fullmonty2, get one of fullmonty2's ips), but it seems that coul be a 
> very useful feature, as described above - have something like:
> 
>   www1 IN A     200.10.100.10
>   www1 IN A     200.10.100.20
> 
>   www2 IN A     200.20.100.10
>   www2 IN A     200.20.100.20
>   www2 IN A     200.20.100.30
> 
>   www3 IN A     200.30.100.10
>   www3 IN A     200.30.100.20
> 
>   www  IN CNAME www1
>   www  IN CNAME www2
>   www  IN CNAME www3
> 
> 
> I understand that I should not use such a scheme from reading this book, 
> mainly the "CNAME and other data" rule, making CNAME a singleton RR. 
> What I don't understand is why CNAME is a singleton and why the option 
> to allow multiple CANMES was removed in Bind9? I mean why is CNAME 
> regarded so differently than n A record?

	Fistly the above worked in late BIND 4 due to a bug where
	only the first CNAME record got put into the answer and
	once BIND 4 started record rotation was added a different
	CNAME got picked for each answer.  Before rotation was added
	only the first CNAME to be loaded was returned so no one
	noticed the bug.
	
	BIND 8 corrected this by default with a option to revert
	behaviour.  We also documented that it would be removed
	at a future point.

	BIND 9 removed the option to revert.  Multiple CNAMEs and
	DNSSEC do not work well together.

	What you really want is SRV support for HTTP.  SRV is designed to
	support multiple servers.
 
> When I look at that page in the book, a config liek that seems like it 
> could be perfectly valid, and I could envision a large scale corporation 
> or so using such a setup to spread load. I can also see how it coudl be 
> gross overkill too, but how it's used should not dictate if it _can_ be 
> used, should it?

	Go read RFCs 1033, 1034 and 1035.  From them it is clear that a
	CNAME is supposed to be singular.

	The DNS is complicated enough without the standard resolution
	path in the resolver having to chase parallel CNAME chains.
	SRV has the application walk the parallel resolution paths.

> I just want to know why such a setup is considered so taboo, other than 
> possibly making initial unachached queries that much longer?
> 
> -- 
> CL 
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list