Why two lookups for a CNAME?
Reindl Harald
h.reindl at thelounge.net
Thu Oct 22 12:07:10 UTC 2015
Am 22.10.2015 um 14:01 schrieb Matus UHLAR - fantomas:
> On 22.10.15 08:01, Mark Andrews wrote:
>> To prevent cache poisoning via cnames. It it simpler to always
>> lookup the target of the cname that to figure out if we would
>> accepted the following data.
>>
>> server A has zones foo.example and bar.example configured
>> server B has zone bar.example configured
>>
>> bar.example is only delegated to server B of the two server above.
>>
>> The is a cname from www.foo.example -> www.bar.example
>>
>> Server A return a complete answer but the www.bar.example data is
>> from the wrong zone instance. This happens accidentally in real
>> life.
>
> I wonder if it's not enough to verify that the first response was received
> from proper server.
>
> Since play.l.google.com is a subdomain of play.google.com, the lookup would
> go throuth google.com nameservers again...
>
> when servers for bar.example are the same as servers for foo.example, the
> already accepted answer for foo.example is expected to contain valid answer
> for bar.example too...
well, it's better to keep things simple and whenever possible working
the same way instead premature optimization and different behavior to
keep them clear and maintainable
at the end it does not matter
most DNS results are coming from caches and if they are not in the cache
they are not frequent enough that it would matter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151022/4d42f0b8/attachment.bin>
More information about the bind-users
mailing list