CNAME Rules

Chuck Swiger cswiger at mac.com
Mon Jun 25 21:29:24 UTC 2012 

On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote:
> The RFC rules on CNAMEs is fairly tight but I am seeing an increasing
> amount of traffic with misconfigured CNAMEs some of which are accepted
> by BIND as valid responses. The examples capture three trends, note
> these are actual responses:
> 
> 1) Example-1: CNAME in the additional section necessary to finish
> processing of response. BIND accepts this as valid:
> 
> proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7
> nscount=6 arcount=7
>    query: after12.failblog.org. A IN
>    answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com.
>    answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123
>    nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com.
>    nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com.
>    additional: chzallnighter.wordpress.com. CNAME IN TTL=300
> vip-lb.wordpress.com.
>    additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14
>    additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137

This is standard CNAME chaining, per RFC-1034:

% dig after12.failblog.org @8.8.8.8
[ ... ]
;; QUESTION SECTION:
;after12.failblog.org.		IN	A

;; ANSWER SECTION:
after12.failblog.org.	3416	IN	CNAME	chzallnighter.wordpress.com.
chzallnighter.wordpress.com. 116 IN	CNAME	vip-lb.wordpress.com.
vip-lb.wordpress.com.	116	IN	A	74.200.247.187
vip-lb.wordpress.com.	116	IN	A	76.74.255.117
vip-lb.wordpress.com.	116	IN	A	76.74.255.123
vip-lb.wordpress.com.	116	IN	A	72.233.104.123
vip-lb.wordpress.com.	116	IN	A	72.233.127.217
vip-lb.wordpress.com.	116	IN	A	74.200.247.59

> 2) Example-2: Multiple CNAMEs with same label but different data, BIND
> finds this to be incorrect and retries if another nameserver is
> available:
> 
> 
> proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13
>    query: image.dhgate.com. A IN
>    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net.
>    answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com.
>    nameserver: . NS IN TTL=518400 a.root-servers.net.
>    nameserver: . NS IN TTL=518400 b.root-servers.net.
>    nameserver: . NS IN TTL=518400 c.root-servers.net.

% dig image.dhgate.com @8.8.8.8
[ ... ]
;; QUESTION SECTION:
;image.dhgate.com.		IN	A

;; ANSWER SECTION:
image.dhgate.com.	26	IN	CNAME	image.dhgate.com.cdn20.com.
image.dhgate.com.cdn20.com. 29	IN	CNAME	image.dhgate.com.wscdns.com.
image.dhgate.com.wscdns.com. 29	IN	CNAME	dhgate.com.edgesuite.net.
dhgate.com.edgesuite.net. 1381	IN	CNAME	a1015.b.akamai.net.
a1015.b.akamai.net.	20	IN	A	65.121.208.137
a1015.b.akamai.net.	20	IN	A	65.121.208.120

I wonder where chinacache.net came from in your case, unless they are using
different CDNs in different parts of the world.  Around here, they're using
Akamai EdgeSuite.

Again, this looks to be standard CNAME chaining, only your query didn't chase
image.dhgate.com.cdn20.com any further.

> 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to
> be incorrect as well and retries.
> 
> proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2
> nscount=3 arcount=3
>    query: www.smilebox.com. A IN
>    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
>    answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com.
>    nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com.
>    nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com.
>    nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com.
>    additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8
>    additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52
>    additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101
> 
> My question really what are the rules governing CNAME processing in
> BIND and why does Example-1 allowed as valid.

>From here, this gets:

% dig www.smilebox.com @8.8.8.8
[ ... ]
;; QUESTION SECTION:
;www.smilebox.com.		IN	A

;; ANSWER SECTION:
www.smilebox.com.	3421	IN	CNAME	www.g.smilebox.com.
www.g.smilebox.com.	121	IN	A	216.218.214.53

...which is a single CNAME pointing to an A record.  Are you sure your "ancount=2"
was really two copies of the same CNAME, rather than a CNAME and A record?

Regards,
-- 
-Chuck

More information about the bind-users mailing list