Why two lookups for a CNAME?

Steve Arntzen isc at arntzen.us
Wed Oct 21 23:27:27 UTC 2015 

Makes sense.  Better safe than sorry.


Thanks,


Steve.


> 
>     On October 21, 2015 at 4:01 PM Mark Andrews <marka at isc.org> wrote:
> 
> 
> 
>     To prevent cache poisoning via cnames. It it simpler to always
>     lookup the target of the cname that to figure out if we would
>     accepted the following data.
> 
>     server A has zones foo.example and bar.example configured
>     server B has zone bar.example configured
> 
>     bar.example is only delegated to server B of the two server above.
> 
>     The is a cname from www.foo.example -> www.bar.example
> 
>     Server A return a complete answer but the www.bar.example data is
>     from the wrong zone instance. This happens accidentally in real
>     life.
> 
>     Mark
> 
>     In message
> <1401468033.15948.1445459552099.JavaMail.vpopmail at atl4oxapp02pod1.mg
>     t.hosting.qts.netsol.com>, Steve Arntzen writes:
>     >
>     > I'm sure there's a good, simple reason for this, I just can't seem to
>     > find th
>     > e
>     > answer searching on the Internet.
>     >
>     >
>     > Why does named perform a lookup for the A record when its IP is returned
>     > with
>     > the CNAME in the first answer?
>     >
>     >
>     > Using dig, I find play.google.com is a CNAME for play.l.google.com.
>     >
>     >
>     > When asked to resolve it, named will first look for play.google.com. The
>     > res
>     > ult
>     > will include the CNAME and the IP of the A record.
>     >
>     >
>     > Named then makes a second request to resolve the A record.
>     >
>     >
>     > Thanks in advance,
>     >
>     >
>     > Steve.
>     > ------=_Part_15947_1241356502.1445459552087
>     > MIME-Version: 1.0
>     > Content-Type: text/html; charset=UTF-8
>     > Content-Transfer-Encoding: 7bit
>     >
>     > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
>     > "http://www.w3.org/T
>     > R/xhtml1/DTD/xhtml1-strict.dtd">
>     >
>     > <html xmlns="http://www.w3.org/1999/xhtml"><head>
>     > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
>     > </head><body><p>I'm sure there's a good, simple reason for this, I j
>     > ust can't seem to find the answer searching on the
>     > Internet.</p><p><br></
>     > p><p>Why does named perform a lookup for the A record when its IP is
>     > returned
>     > with the CNAME in the first answer?</p><p><br></p><p>Using dig, I find
>     > play.
>     > google.com is a CNAME for play.l.google.com.</p><p><br></p><p>When asked
>     > to r
>     > esolve it, named will first look for play.google.com.  The result will i
>     > nclude the CNAME and the IP of the A record.</p><p><br></p><p>Named then
>     > make
>     > s a second request to resolve the A record.</p><p><br></p><p>Thanks in
>     > advanc
>     > e,</p><p><br></p><p>Steve.</p></body></html>
>     > ------=_Part_15947_1241356502.1445459552087--
>     >
>     > --===============7115022951714415033==
>     > Content-Type: text/plain; charset="us-ascii"
>     > MIME-Version: 1.0
>     > Content-Transfer-Encoding: 7bit
>     > Content-Disposition: inline
>     >
>     > _______________________________________________
>     > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>     > unsubscribe
>     > from this list
>     >
>     > bind-users mailing list
>     > bind-users at lists.isc.org
>     > https://lists.isc.org/mailman/listinfo/bind-users
>     > --===============7115022951714415033==--
>     --
>     Mark Andrews, ISC
>     1 Seymour St., Dundas Valley, NSW 2117, Australia
>     PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151021/9f8a3591/attachment.html>

More information about the bind-users mailing list