Help tracing out a strange lookup case

Mark Andrews Mark_Andrews at isc.org
Fri Dec 26 23:18:08 UTC 2008 

	This is *exactly* why there is a rule in RFC 1034 prohibiting
	the use of CNAME with anything else.  This is also why named
	enforces the rule.  The operators of share-ideas.com are
	in violation of this rule and their nameserver does not
	enforce this rule.

    RFC 1034.

    The domain system provides such a feature using the canonical name
    (CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
    specifies the corresponding canonical name in the RDATA section of the
    RR.  If a CNAME RR is present at a node, no other data should be
    present; this ensures that the data for a canonical name and its aliases
    cannot be different.  This rule also insures that a cached CNAME can be
    used without checking with an authoritative server for other RR types.

	Mark

% dig crm.share-ideas.com @ns2.hc.ru.

; <<>> DiG 9.3.5-P2 <<>> crm.share-ideas.com @ns2.hc.ru.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16891
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;crm.share-ideas.com.           IN      A

;; ANSWER SECTION:
crm.share-ideas.com.    3600    IN      A       213.242.225.169

;; Query time: 370 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sat Dec 27 10:09:49 2008
;; MSG SIZE  rcvd: 53

% dig crm.share-ideas.com aaaa @ns2.hc.ru.

; <<>> DiG 9.3.5-P2 <<>> crm.share-ideas.com aaaa @ns2.hc.ru.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17137
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;crm.share-ideas.com.           IN      AAAA

;; ANSWER SECTION:
crm.share-ideas.com.    3600    IN      CNAME   share-ideas.com.

;; AUTHORITY SECTION:
share-ideas.com.        3600    IN      SOA     ns1.hc.ru. support.hc.ru. 2008110347 3600 1800 604800 3600

;; Query time: 371 msec
;; SERVER: 89.111.171.191#53(89.111.171.191)
;; WHEN: Sat Dec 27 10:10:02 2008
;; MSG SIZE  rcvd: 104

% 

In message <49534ef7$0$10537$db0fefd9 at news.zen.co.uk>, Stephen Ward writes:
> On Wed, 24 Dec 2008 22:31:19 -0500, Robert Spangler wrote:
> 
> > On Wednesday 24 December 2008 20:13, Scott Haneda wrote:
> > 
> >>  Trying to help a client, they stumped me today.
> > 
> > OK, I get the sam answers form all the NS servers.
> > 
> >>  dig crm.share-ideas.com
> >>
> >>  ; <<>> DiG 9.4.2-P2 <<>> crm.share-ideas.com ;; global options: 
> >>  printcmd
> >>  ;; Got answer:
> >>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978 ;; flags: qr
> >>  rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >>  ;; QUESTION SECTION:
> >>  ;crm.share-ideas.com.  IN A
> >>
> >>  ;; ANSWER SECTION:
> >>  crm.share-ideas.com. 3600 IN A 213.242.225.169
> >>
> >>  ;; Query time: 999 msec
> >>  ;; SERVER: 208.57.0.11#53(208.57.0.11) ;; WHEN: Wed Dec 24 07:51:24
> >>  2008
> >>  ;; MSG SIZE  rcvd: 53
> > 
> > Without seeing what the command line arguments were it's hard to tell
> > why you got the following.
> > 
> >>  ; <<>> DiG 9.4.2-P2 <<>> crm.share-ideas.com ;; global options: 
> >>  printcmd
> >>  ;; Got answer:
> >>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2018 ;; flags: qr
> >>  rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >>  ;; QUESTION SECTION:
> >>  ;crm.share-ideas.com.  IN A
> >>
> >>  ;; ANSWER SECTION:
> >>  crm.share-ideas.com. 3380 IN CNAME share-ideas.com. share-ideas.com.
> >>  3600 IN A 89.111.181.186
> >>
> >>  ;; Query time: 241 msec
> >>  ;; SERVER: 208.57.0.10#53(208.57.0.10) ;; WHEN: Wed Dec 24 07:52:47
> >>  2008
> >>  ;; MSG SIZE  rcvd: 67
> > 
> >>  Currently, I can not replicate this behavior.  Maybe they made a
> >>  chance, it it just did not make it out to the rr's fast, I am waiting
> >>  on a reply for that question.  How can I see the serial in a zone, is
> >>  that possible?
> > 
> > dig crm.share-ideas.com soa
> > 
> >>  What stumps me is the following, run here, at a coffee shop, I am
> >>  using openDNS
> >>  dig crm.share-ideas.com @208.57.0.10 A +trace dig crm.share-ideas.com
> >>  @208.57.0.11 A +trace
> >>
> >>  Both work, I get a answer back from
> >>  ;; Received 126 bytes from 193.0.14.129#53(k.root-servers.net) in 2 ms
> >>  crm.share-ideas.com. 1611 IN A 213.242.225.169
> >>
> >>  What also has me wonering, is if I ssh into my clients machine, which
> >>  has the ISP's rr listed on that machine to be used, I can not get
> >>  anything back:
> >>
> >>  dig crm.share-ideas.com @208.57.0.10 A +trace ;; connection timed out;
> >>  no servers could be reached
> >>
> >>  dig crm.share-ideas.com @208.57.0.11 A +trace ;; global options: 
> >>  printcmd
> >>  ;; connection timed out; no servers could be reached
> >>
> >>  Those two command work anywhere else, just not on his machine for some
> >>  reason.  Stumped.  Thanks.
> > 
> > Firewall blocking the port?
> > No DNS servers setup?
> 
> Can I just add - Appreciate you are using DIG here, but there is not a 
> Microsnot resolver/dns cache product anywhere involved here is there? Not 
> directly connected but had a similar issue with the M$ cache refusing to 
> honour cost value on rr MX records. No matter how you would dig from the 
> cl, Exchange would just keep grabbing the wrong (cached) response from 
> it's own local cache despite all RR orders etc.

> Without the exact problem you are getting, how you are calling it and the 
> actual expected results there is not shed loads anyone can do so I'm 
> probably wide of the mark.
> 
> 
> -- 
> . . .
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list