CNAME Rules

Srinivas Krishnan shrin.krishnan at gmail.com
Mon Jun 25 21:13:25 UTC 2012 

The RFC rules on CNAMEs is fairly tight but I am seeing an increasing
amount of traffic with misconfigured CNAMEs some of which are accepted
by BIND as valid responses. The examples capture three trends, note
these are actual responses:

1) Example-1: CNAME in the additional section necessary to finish
processing of response. BIND accepts this as valid:

proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7
nscount=6 arcount=7
    query: after12.failblog.org. A IN
    answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com.
    answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123
    nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com.
    nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com.
    additional: chzallnighter.wordpress.com. CNAME IN TTL=300
vip-lb.wordpress.com.
    additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14
    additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137

2) Example-2: Multiple CNAMEs with same label but different data, BIND
finds this to be incorrect and retries if another nameserver is
available:


proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13
    query: image.dhgate.com. A IN
    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net.
    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com.
    nameserver: . NS IN TTL=518400 a.root-servers.net.
    nameserver: . NS IN TTL=518400 b.root-servers.net.
    nameserver: . NS IN TTL=518400 c.root-servers.net.

3) Example-3: Multiple CNAMEs with same and data, BIND finds this to
be incorrect as well and retries.

proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2
nscount=3 arcount=3
    query: www.smilebox.com. A IN
    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
    nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com.
    nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com.
    nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com.
    additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8
    additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52
    additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101


My question really what are the rules governing CNAME processing in
BIND and why does Example-1 allowed as valid.


-srinivas

More information about the bind-users mailing list