Why two lookups for a CNAME?
Steve Arntzen
isc at arntzen.us
Wed Oct 21 23:27:27 UTC 2015
Makes sense. Better safe than sorry.
Thanks,
Steve.
>
> On October 21, 2015 at 4:01 PM Mark Andrews <marka at isc.org> wrote:
>
>
>
> To prevent cache poisoning via cnames. It it simpler to always
> lookup the target of the cname that to figure out if we would
> accepted the following data.
>
> server A has zones foo.example and bar.example configured
> server B has zone bar.example configured
>
> bar.example is only delegated to server B of the two server above.
>
> The is a cname from www.foo.example -> www.bar.example
>
> Server A return a complete answer but the www.bar.example data is
> from the wrong zone instance. This happens accidentally in real
> life.
>
> Mark
>
> In message
> <1401468033.15948.1445459552099.JavaMail.vpopmail at atl4oxapp02pod1.mg
> t.hosting.qts.netsol.com>, Steve Arntzen writes:
> >
> > I'm sure there's a good, simple reason for this, I just can't seem to
> > find th
> > e
> > answer searching on the Internet.
> >
> >
> > Why does named perform a lookup for the A record when its IP is returned
> > with
> > the CNAME in the first answer?
> >
> >
> > Using dig, I find play.google.com is a CNAME for play.l.google.com.
> >
> >
> > When asked to resolve it, named will first look for play.google.com. The
> > res
> > ult
> > will include the CNAME and the IP of the A record.
> >
> >
> > Named then makes a second request to resolve the A record.
> >
> >
> > Thanks in advance,
> >
> >
> > Steve.
> > ------=_Part_15947_1241356502.1445459552087
> > MIME-Version: 1.0
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: 7bit
> >
> > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> > "http://www.w3.org/T
> > R/xhtml1/DTD/xhtml1-strict.dtd">
> >
> > <html xmlns="http://www.w3.org/1999/xhtml"><head>
> > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> > </head><body><p>I'm sure there's a good, simple reason for this, I j
> > ust can't seem to find the answer searching on the
> > Internet.</p><p><br></
> > p><p>Why does named perform a lookup for the A record when its IP is
> > returned
> > with the CNAME in the first answer?</p><p><br></p><p>Using dig, I find
> > play.
> > google.com is a CNAME for play.l.google.com.</p><p><br></p><p>When asked
> > to r
> > esolve it, named will first look for play.google.com. The result will i
> > nclude the CNAME and the IP of the A record.</p><p><br></p><p>Named then
> > make
> > s a second request to resolve the A record.</p><p><br></p><p>Thanks in
> > advanc
> > e,</p><p><br></p><p>Steve.</p></body></html>
> > ------=_Part_15947_1241356502.1445459552087--
> >
> > --===============7115022951714415033==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe
> > from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===============7115022951714415033==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151021/9f8a3591/attachment.html>
More information about the bind-users
mailing list