additional-from-cache and CNAME records
Jeremie Le Hen
jeremie.le-hen at epita.fr
Wed Aug 18 17:05:41 UTC 2004
Hi,
first excuse-me for my english.
This may be a FAQ, but I did not succeed to find anything about this on
mailing-list archives nor the FAQ. I use Bind 9.2.3.
I have a zone with a CNAME pointing to a record which is totally
outside my zones. Since it is an authoritative-only name server view,
I want to disable exposure of cached private informations so I use
the "additional-from-cache" statement. The problem is that when
I disable this, the server refuses to answer to all queries concerning
CNAME pointing outside my delegation when the resolver queries for an A
record, while A and other CNAME records pointing into my delegation are
still well answered. When I re-enable it, it works like a charm.
Here is an example (zone example.com) :
a-name IN A 123.123.123.123
point-inside IN CNAME a-name
point-outside IN CNAME another-name.at.another-domain.com.
Whatever the value of "additional-from-cache yes", ``a-name.example.com''
and ``point-inside.example.com'' are always answered but this is not the
case for ``point-outside.example.com''. But when "additional-from-cache"
is disabled, then the latter won't be answered any longer when queried with
an A record. In this case, it would indeed normally answers with the CNAME
record, despite the query is an A, AFAIK. Unfortunatelly, I must
explicitly ask for a CNAME here.
Here is an illustration :
==================================================================
=== additional-from-cache yes (the default), querying for an A ===
==================================================================
droopy:space# host -vt a point-outside.example.com
Trying "point-outside.example.com"
Using domain server:
Name: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27545
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;point-outside.example.com. IN A
;; ANSWER SECTION:
point-outside.example.com. 10800 IN CNAME another-name.at.another-domain.com.
;; AUTHORITY SECTION:
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
Received 277 bytes from xxx.xxx.xxx.xxx#53 in 125 ms
=====================================================================
=== additional-from-cache yes (the default), querying for a CNAME ===
=====================================================================
droopy:space# host -vt cname point-outside.example.com xxx.xxx.xxx.xxx
Trying "point-outside.example.com"
Using domain server:
Name: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29794
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;point-outside.example.com. IN CNAME
;; ANSWER SECTION:
point-outside.example.com. 10800 IN CNAME another-name.at.another-domain.com.
;; AUTHORITY SECTION:
example.com. 10800 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 10800 IN A xxx.xxx.xxx.xxx
Received 146 bytes from xxx.xxx.xxx.xxx#53 in 110 ms
===================================================
=== additional-from-cache no, querying for an A ===
===================================================
droopy:space# host -vt a point-outside.example.com xxx.xxx.xxx.xxx
Trying "point-outside.example.com"
Using domain server:
Name: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#53
Aliases:
Host point-outside.example.com not found: 5(REFUSED)
Received 37 bytes from xxx.xxx.xxx.xxx#53 in 117 ms
======================================================
=== additional-from-cache no, querying for a CNAME ===
======================================================
droopy:space# host -vt cname point-outside.example.com xxx.xxx.xxx.xxx
Trying "point-outside.example.com"
Using domain server:
Name: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24205
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;point-outside.example.com. IN CNAME
;; ANSWER SECTION:
point-outside.example.com. 10800 IN CNAME another-name.at.another-do
main.com.
;; AUTHORITY SECTION:
example.com. 10800 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 10800 IN A xxx.xxx.xxx.xxx
Received 146 bytes from xxx.xxx.xxx.xxx#53 in 156 ms
As you can see, when "additional-from-cache" is disabled, if the
query is about an A record, it won't be answered unfortunately.
I'm not aware about the RFC, but what I know is that Windows and Linux
resolvers will only try for an A record, not for a CNAME one so it
won't work :-/. Is there anything I have missed when configuring
my name server view, is this a feature, is this a bug ?
I would really like to prevent my name server view to disclose cached
informations, but having the same behaviour when querying for an A
record when it is in fact a CNAME one pointing outside the delagation
*is* a must.
Please CC me when replying to this mail since I'm not subscribed to
bind-users@ list.
Best regards,
--
Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen at epita.fr
ttz at epita.fr
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
More information about the bind-users
mailing list