NODATA type 3 with CNAME

Paul Vixie vixie at isc.org
Sat Aug 2 17:09:21 UTC 2008 

James Ponder <james at squish.net> writes:

>> ;; ANSWER SECTION:
>> www.microsoft.com.      3599    IN      CNAME   toggle.www.ms.akadns.net.
>> toggle.www.ms.akadns.net. 299   IN      CNAME   g.www.ms.akadns.net.
>> g.www.ms.akadns.net.    299     IN      CNAME   lb1.www.ms.akadns.net.
>> lb1.www.ms.akadns.net.  300     IN      A       207.46.19.254
>> lb1.www.ms.akadns.net.  300     IN      A       207.46.192.254
>> lb1.www.ms.akadns.net.  300     IN      A       207.46.193.254
>> lb1.www.ms.akadns.net.  300     IN      A       207.46.19.190
>> lb1.www.ms.akadns.net.  300     IN      A       65.55.21.250
>
> That's a nice case, thanks for pointing it out.
>
> Unless I'm mistaken (using tcpdump) bind (9.5.0-P1) does this in 3
> transactions:
> 1. initial query for www.microsoft.com stopping at the CNAME toggle
> 2. query for toggle from akadns.net nameservers, stopping at lb1
> 3. query for lb1
>
> It appears to process the two CNAMEs on akadns.net together, so there's
> never a request relating to g.www.ms.akadns.net.

yes.

> I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it
> asked about toggle.www.ms.akadns.net and yet not accept the A records
> for lb1.www.ms.akadns.net at the same time?

in my story about the history of thinking about baliwick, i left out the middle
part (which ends at the dawn of the kaminsky era) where it was believed that
a same-parent-zone CNAME chain was OK to cache as long as you restarted your
transaction at the terminus of that chain.  at home i don't have to wait for
IETF to catch up, i can be as paranoid as i want to me.  at work (in BIND) we
try very hard not to get ahead of the standards process on controversial
issues.  we (ISC) are an instrument of the community, and we work within it.

> I'm also not seeing the rationale behind not accepting the whole chain
> from toggle down to the A records - we know we're talking to the
> akadns.net authoritative nameserver after all.  Isn't it being overly
> paranoid rather than properly paranoid?

yes, it is, but who knew until now?
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the bind-users mailing list