CNAME resolution weirdness

Ondřej Surý ondrej at isc.org
Tue Jul 26 05:39:30 UTC 2022 

By using host, you are missing the important bits - the packet sizes and the header bits. Most probably the response doesn’t fit into 512 bytes, so it’s truncated. Which is not a problem because any compliant software will: a) use EDNS with at least 1232 buffer size, b) retry over TCP if it sees truncation.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 26. 7. 2022, at 1:02, Boian Bonev via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hello,
> 
> For the Devuan project we use a DNS round robin for mirrors - deb.devuan.org.
> Mostly for cleanliness and separation which part is maintained by humans and
> which by tools, there is a separate zone rr.devuan.org fully maintained by
> tools. deb.devuan.org is CNAME of deb.rr.devuan.org, which in turn is the list
> of all up-to-date mirrors' A and AAAA. The master DNS server is not publicly
> visible and the only visible ones are authoritative slaves (for both zones).
> 
> The weird part is that bind is replying with CNAME and AAAA records only (using
> host, because it has shorter output, result is same with other tools):
> 
> # host deb.devuan.org ns4.devuan.dev
> Using domain server:
> Name: ns4.devuan.dev
> Address: 2a01:9e40::108#53
> Aliases: 
> 
> deb.devuan.org is an alias for deb.rr.devuan.org.
> deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2
> deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150
> deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3
> deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2
> deb.rr.devuan.org has IPv6 address 2a01:9e40::180
> deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14
> deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156
> deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3
> deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691
> deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1
> deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19
> deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a
> 
> # nslookup -class=CHAOS -type=txt version.bind ns4.devuan.dev
> Server:        ns4.devuan.dev
> Address:    2a01:9e40::108#53
> 
> version.bind    text = "9.16.27-Debian"
> 
> I did check with RFC 1034 and the above does not look like a proper reply as
> per my understanding. If bind does not see itself as auth for rr.devuan.org, it
> should reply only with the CNAME, else it should include the A records too.
> 
> I have tried various options - enabling recursion makes it behave correctly but
> that is not an option for a public DNS. Replacing bind with nsd also fixes the
> behavior. As a side note knot behaves exactly like bind. I would prefer to run
> different software across the slaves. The next thing was to try with the most
> recent Debian package from the testing distribution:
> 
> The only related option in named.conf.options is "recursion no;"
> 
> # host deb.devuan.org 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases: 
> 
> deb.devuan.org is an alias for deb.rr.devuan.org.
> deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1
> deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3
> deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2
> deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19
> deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156
> deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14
> deb.rr.devuan.org has IPv6 address 2001:878:346::116
> deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150
> deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2
> deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3
> deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691
> deb.rr.devuan.org has IPv6 address 2a01:9e40::180
> deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a
> 
> # nslookup -class=CHAOS -type=txt version.bind 127.0.0.1
> Server:        127.0.0.1
> Address:    127.0.0.1#53
> 
> version.bind    text = "9.18.4-2-Debian"
> 
> 
> Please advise what is happening - is that expected behavior, a configuration
> option is missing or there is a bug in bind?
> 
> With best regards,
> b.
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list