blacklisting replies, was: Proper CNAME interpretation
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Sep 15 00:09:31 UTC 2011
In message <CF550BD6-BA85-4CB3-8B03-E4E1B0829A1D at mac.com>, you wrote:
>Sigh: your mail server is blacklisting email from mac.com.
Yes. Sorry about that. Too much spam from there and no indication
that anybody there gives a damn that that they gush spam. (If you
find anybody who does care, please le me know via the contact form on
my web site.)
Anyway, on-list replies are OK, I think. I mean it's not like any of
this is in any way off topic.
>> On Sep 14, 2011, at 2:27 PM, Ronald F. Guilmette wrote:
>>> The second part however seems to go more to my question, which is "What is
>>> the resolver supposed to do when some knucklehead breaks the rules and puts
>>> a CNAME in with some other stuff?"
>>
>> Depends on which query one issued. The very next paragraph of RFC-1034 is:
>>
>> "CNAME RRs cause special action in DNS software. When a name server
>> fails to find a desired RR in the resource set associated with the
>> domain name, it checks to see if the resource set consists of a CNAME
>> record with a matching class. If so, the name server includes the CNAME
>> record in the response and restarts the query at the domain name
>> specified in the data field of the CNAME record. The one exception to
>> this rule is that queries which match the CNAME type are not restarted."
That's just about a clear as mud. :-(
>> In other words, if you ask for an A record, and you get back both a CNAME an
>d an A record, then the A record matches and that's what gethostbyname()/getad
>drinfo() or whatever should receive from the resolver.
OK. That much _is_ clear from the above RFC quote.
But then if that _is_ supposed to be true, then why is nslookup all of a
sudden balking and not printing _any_ IP address for graphiteops.com
today? My local name server has _both_ a CNAME _and_ an A record cached
for that... at least that is what appears to be the case when I check
locally using:
dig graphiteops.com any @127.0.0.1
When I do that I get back:
...
graphiteops.com. 21131 IN A 72.52.4.95
graphiteops.com. 3131 IN CNAME graphiteops.com.
...
So under these circumstances, nslookup really should be printing out the
address (72.52.4.95) which I just simply do "nslookup graphiteops.com", no?
But it ain't doing that.
Also very puzzling is what I get when I just do:
dig graphiteops.com a @127.0.0.1
In this case I only get back the CNAME record, and the A record doesn't even
appear in the dig output !?!?! So what's up with that???
>If you asked for an AAAA
>record, and got that same reply of a CNAME and an A record, then the resolver
>should chase the CNAME's data field.
Yes. That part makes sense, and is abundantly clear from the RFC passage you
quoted. In short, I agree, and this is, and has been, an enlightening ex-
change for me. So thank you for that.
Now, if I can just figure out why my local dig and nslookup seem to be pro-
ducing such nonsensical (and non-standard?) results, I'll be a happy man.
>>> It sure _sounds_ like that second sentence is encouraging any & all people
>>> who are writing resolvers, or other related tools, that they should ignore
>>> any flotsam & jetsum that appear along side a CNAME.
>> ...
>By no means. You only ought to chase a CNAME if you got a CNAME *instead*
>of the resource type that you asked for.
Yea. I see now, and understand. (And thanks again.)
But as I say, my local dig & nslookup _do not_ seem to understand. In fact
they both seem to be misbehaving rather significantly, and I don't understand
that at all.
Regards,
rfg
P.S. Curiously, I am getting the exact same odd results out of dig, even
when I force it to directly query one of the authoritative servers for the
graphiteops.com domain. So, for example:
dig graphiteops.com a @pdns1.ultradns.net
only shows me the CNAME... no A record! Whereas:
dig graphiteops.com any @pdns1.ultradns.net
is showing me both the A and the CNAME. This part actually makes sense.
I asked for "ANY" so it is sending me (and showing me) everything. It is
the reslt when I explicitly ask for an `A' however that seems altogether
bizzare and also wrong, based upon what you quoted above. I am asking
explicitly for an `A' and graphiteops.com clearly _does_ have an `A'
associated with it, so the server should be sending me back the `A'
and keeping the CNAME to itself, no? But it is doing the exact opposite
of that... sending me back just the CNAME and keeping the `A' to itself.
I get the feeling that there may be something here which is beyond my
comprehension.
More information about the bind-users
mailing list