On Sat, Aug 02, 2008 at 12:37:31PM +0000, Paul Vixie wrote: > i believe kaminsky has shown us that no answer whose owner name does not > match the question name, even if it appears to be within the same zone, > should be cached. so, at a minimum, to your question above, i say yes. ... > and on a properly paranoid caching resolver, it takes 4 transactions to > build the following (and in this case you can see a difference in TTLs): > > ;; ANSWER SECTION: > www.microsoft.com. 3599 IN CNAME toggle.www.ms.akadns.net. > toggle.www.ms.akadns.net. 299 IN CNAME g.www.ms.akadns.net. > g.www.ms.akadns.net. 299 IN CNAME lb1.www.ms.akadns.net. > lb1.www.ms.akadns.net. 300 IN A 207.46.19.254 > lb1.www.ms.akadns.net. 300 IN A 207.46.192.254 > lb1.www.ms.akadns.net. 300 IN A 207.46.193.254 > lb1.www.ms.akadns.net. 300 IN A 207.46.19.190 > lb1.www.ms.akadns.net. 300 IN A 65.55.21.250
That's a nice case, thanks for pointing it out. Unless I'm mistaken (using tcpdump) bind (9.5.0-P1) does this in 3 transactions: 1. initial query for www.microsoft.com stopping at the CNAME toggle 2. query for toggle from akadns.net nameservers, stopping at lb1 3. query for lb1 It appears to process the two CNAMEs on akadns.net together, so there's never a request relating to g.www.ms.akadns.net. I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it asked about toggle.www.ms.akadns.net and yet not accept the A records for lb1.www.ms.akadns.net at the same time? I'm also not seeing the rationale behind not accepting the whole chain from toggle down to the A records - we know we're talking to the akadns.net authoritative nameserver after all. Isn't it being overly paranoid rather than properly paranoid? Thanks for your help. James
