On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote: > The RFC rules on CNAMEs is fairly tight but I am seeing an increasing > amount of traffic with misconfigured CNAMEs some of which are accepted > by BIND as valid responses. The examples capture three trends, note > these are actual responses: > > 1) Example-1: CNAME in the additional section necessary to finish > processing of response. BIND accepts this as valid: > > proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 > nscount=6 arcount=7 > query: after12.failblog.org. A IN > answer: after12.failblog.org. CNAME IN TTL=3600 > chzallnighter.wordpress.com. > answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 > nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. > nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. > additional: chzallnighter.wordpress.com. CNAME IN TTL=300 > vip-lb.wordpress.com. > additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 > additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137
This is standard CNAME chaining, per RFC-1034: % dig after12.failblog.org @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;after12.failblog.org. IN A ;; ANSWER SECTION: after12.failblog.org. 3416 IN CNAME chzallnighter.wordpress.com. chzallnighter.wordpress.com. 116 IN CNAME vip-lb.wordpress.com. vip-lb.wordpress.com. 116 IN A 74.200.247.187 vip-lb.wordpress.com. 116 IN A 76.74.255.117 vip-lb.wordpress.com. 116 IN A 76.74.255.123 vip-lb.wordpress.com. 116 IN A 72.233.104.123 vip-lb.wordpress.com. 116 IN A 72.233.127.217 vip-lb.wordpress.com. 116 IN A 74.200.247.59 > 2) Example-2: Multiple CNAMEs with same label but different data, BIND > finds this to be incorrect and retries if another nameserver is > available: > > > proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 > query: image.dhgate.com. A IN > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. > nameserver: . NS IN TTL=518400 a.root-servers.net. > nameserver: . NS IN TTL=518400 b.root-servers.net. > nameserver: . NS IN TTL=518400 c.root-servers.net. % dig image.dhgate.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;image.dhgate.com. IN A ;; ANSWER SECTION: image.dhgate.com. 26 IN CNAME image.dhgate.com.cdn20.com. image.dhgate.com.cdn20.com. 29 IN CNAME image.dhgate.com.wscdns.com. image.dhgate.com.wscdns.com. 29 IN CNAME dhgate.com.edgesuite.net. dhgate.com.edgesuite.net. 1381 IN CNAME a1015.b.akamai.net. a1015.b.akamai.net. 20 IN A 65.121.208.137 a1015.b.akamai.net. 20 IN A 65.121.208.120 I wonder where chinacache.net came from in your case, unless they are using different CDNs in different parts of the world. Around here, they're using Akamai EdgeSuite. Again, this looks to be standard CNAME chaining, only your query didn't chase image.dhgate.com.cdn20.com any further. > 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to > be incorrect as well and retries. > > proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 > nscount=3 arcount=3 > query: www.smilebox.com. A IN > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. > nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. > nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. > additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 > additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 > additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 > > My question really what are the rules governing CNAME processing in > BIND and why does Example-1 allowed as valid. >From here, this gets: % dig www.smilebox.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;www.smilebox.com. IN A ;; ANSWER SECTION: www.smilebox.com. 3421 IN CNAME www.g.smilebox.com. www.g.smilebox.com. 121 IN A 216.218.214.53 ...which is a single CNAME pointing to an A record. Are you sure your "ancount=2" was really two copies of the same CNAME, rather than a CNAME and A record? Regards, -- -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
