Help tracing out a strange lookup case
Mark Andrews
Mark_Andrews at isc.org
Fri Dec 26 23:18:08 UTC 2008
This is *exactly* why there is a rule in RFC 1034 prohibiting
the use of CNAME with anything else. This is also why named
enforces the rule. The operators of share-ideas.com are
in violation of this rule and their nameserver does not
enforce this rule.
RFC 1034.
The domain system provides such a feature using the canonical name
(CNAME) RR. A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR. If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different. This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.
Mark
% dig crm.share-ideas.com @ns2.hc.ru.
; <<>> DiG 9.3.5-P2 <<>> crm.share-ideas.com @ns2.hc.ru.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16891
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;crm.share-ideas.com. IN A
;; ANSWER SECTION:
crm.share-ideas.com. 3600 IN A 213.242.225.169
;; Query time: 370 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sat Dec 27 10:09:49 2008
;; MSG SIZE rcvd: 53
% dig crm.share-ideas.com aaaa @ns2.hc.ru.
; <<>> DiG 9.3.5-P2 <<>> crm.share-ideas.com aaaa @ns2.hc.ru.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17137
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;crm.share-ideas.com. IN AAAA
;; ANSWER SECTION:
crm.share-ideas.com. 3600 IN CNAME share-ideas.com.
;; AUTHORITY SECTION:
share-ideas.com. 3600 IN SOA ns1.hc.ru. support.hc.ru. 2008110347 3600 1800 604800 3600
;; Query time: 371 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sat Dec 27 10:10:02 2008
;; MSG SIZE rcvd: 104
%
In message <49534ef7$0$10537$db0fefd9 at news.zen.co.uk>, Stephen Ward writes:
> On Wed, 24 Dec 2008 22:31:19 -0500, Robert Spangler wrote:
>
> > On Wednesday 24 December 2008 20:13, Scott Haneda wrote:
> >
> >> Trying to help a client, they stumped me today.
> >
> > OK, I get the sam answers form all the NS servers.
> >
> >> dig crm.share-ideas.com
> >>
> >> ; <<>> DiG 9.4.2-P2 <<>> crm.share-ideas.com ;; global options:
> >> printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978 ;; flags: qr
> >> rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >> ;; QUESTION SECTION:
> >> ;crm.share-ideas.com. IN A
> >>
> >> ;; ANSWER SECTION:
> >> crm.share-ideas.com. 3600 IN A 213.242.225.169
> >>
> >> ;; Query time: 999 msec
> >> ;; SERVER: 208.57.0.11#53(208.57.0.11) ;; WHEN: Wed Dec 24 07:51:24
> >> 2008
> >> ;; MSG SIZE rcvd: 53
> >
> > Without seeing what the command line arguments were it's hard to tell
> > why you got the following.
> >
> >> ; <<>> DiG 9.4.2-P2 <<>> crm.share-ideas.com ;; global options:
> >> printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2018 ;; flags: qr
> >> rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >> ;; QUESTION SECTION:
> >> ;crm.share-ideas.com. IN A
> >>
> >> ;; ANSWER SECTION:
> >> crm.share-ideas.com. 3380 IN CNAME share-ideas.com. share-ideas.com.
> >> 3600 IN A 89.111.181.186
> >>
> >> ;; Query time: 241 msec
> >> ;; SERVER: 208.57.0.10#53(208.57.0.10) ;; WHEN: Wed Dec 24 07:52:47
> >> 2008
> >> ;; MSG SIZE rcvd: 67
> >
> >> Currently, I can not replicate this behavior. Maybe they made a
> >> chance, it it just did not make it out to the rr's fast, I am waiting
> >> on a reply for that question. How can I see the serial in a zone, is
> >> that possible?
> >
> > dig crm.share-ideas.com soa
> >
> >> What stumps me is the following, run here, at a coffee shop, I am
> >> using openDNS
> >> dig crm.share-ideas.com @208.57.0.10 A +trace dig crm.share-ideas.com
> >> @208.57.0.11 A +trace
> >>
> >> Both work, I get a answer back from
> >> ;; Received 126 bytes from 193.0.14.129#53(k.root-servers.net) in 2 ms
> >> crm.share-ideas.com. 1611 IN A 213.242.225.169
> >>
> >> What also has me wonering, is if I ssh into my clients machine, which
> >> has the ISP's rr listed on that machine to be used, I can not get
> >> anything back:
> >>
> >> dig crm.share-ideas.com @208.57.0.10 A +trace ;; connection timed out;
> >> no servers could be reached
> >>
> >> dig crm.share-ideas.com @208.57.0.11 A +trace ;; global options:
> >> printcmd
> >> ;; connection timed out; no servers could be reached
> >>
> >> Those two command work anywhere else, just not on his machine for some
> >> reason. Stumped. Thanks.
> >
> > Firewall blocking the port?
> > No DNS servers setup?
>
> Can I just add - Appreciate you are using DIG here, but there is not a
> Microsnot resolver/dns cache product anywhere involved here is there? Not
> directly connected but had a similar issue with the M$ cache refusing to
> honour cost value on rr MX records. No matter how you would dig from the
> cl, Exchange would just keep grabbing the wrong (cached) response from
> it's own local cache despite all RR orders etc.
> Without the exact problem you are getting, how you are calling it and the
> actual expected results there is not shed loads anyone can do so I'm
> probably wide of the mark.
>
>
> --
> . . .
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list