Chuck, You are using a caching resolver to check the responses and you only see response after its been resolved by Google's DNS server. Try dig @ns1.wordpress.com after12.failblog.org. to see the actual records that you would receive if you were a DNS server performing an authoritative query to wordpress.
Is having a CNAME in the additional section regular CNAME chaining, my understanding was that additional sections do not contain CNAMEs. -srinivas On Monday, June 25, 2012 5:29:24 PM UTC-4, Chuck Swiger wrote: > On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote: > > The RFC rules on CNAMEs is fairly tight but I am seeing an increasing > > amount of traffic with misconfigured CNAMEs some of which are accepted > > by BIND as valid responses. The examples capture three trends, note > > these are actual responses: > > > > 1) Example-1: CNAME in the additional section necessary to finish > > processing of response. BIND accepts this as valid: > > > > proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 > > nscount=6 arcount=7 > > query: after12.failblog.org. A IN > > answer: after12.failblog.org. CNAME IN TTL=3600 > > chzallnighter.wordpress.com. > > answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 > > nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. > > nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. > > additional: chzallnighter.wordpress.com. CNAME IN TTL=300 > > vip-lb.wordpress.com. > > additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 > > additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 > > This is standard CNAME chaining, per RFC-1034: > > % dig after12.failblog.org @8.8.8.8 > [ ... ] > ;; QUESTION SECTION: > ;after12.failblog.org. IN A > > ;; ANSWER SECTION: > after12.failblog.org. 3416 IN CNAME chzallnighter.wordpress.com. > chzallnighter.wordpress.com. 116 IN CNAME vip-lb.wordpress.com. > vip-lb.wordpress.com. 116 IN A 74.200.247.187 > vip-lb.wordpress.com. 116 IN A 76.74.255.117 > vip-lb.wordpress.com. 116 IN A 76.74.255.123 > vip-lb.wordpress.com. 116 IN A 72.233.104.123 > vip-lb.wordpress.com. 116 IN A 72.233.127.217 > vip-lb.wordpress.com. 116 IN A 74.200.247.59 > > > 2) Example-2: Multiple CNAMEs with same label but different data, BIND > > finds this to be incorrect and retries if another nameserver is > > available: > > > > > > proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 > > query: image.dhgate.com. A IN > > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. > > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. > > nameserver: . NS IN TTL=518400 a.root-servers.net. > > nameserver: . NS IN TTL=518400 b.root-servers.net. > > nameserver: . NS IN TTL=518400 c.root-servers.net. > > % dig image.dhgate.com @8.8.8.8 > [ ... ] > ;; QUESTION SECTION: > ;image.dhgate.com. IN A > > ;; ANSWER SECTION: > image.dhgate.com. 26 IN CNAME image.dhgate.com.cdn20.com. > image.dhgate.com.cdn20.com. 29 IN CNAME > image.dhgate.com.wscdns.com. > image.dhgate.com.wscdns.com. 29 IN CNAME > dhgate.com.edgesuite.net. > dhgate.com.edgesuite.net. 1381 IN CNAME a1015.b.akamai.net. > a1015.b.akamai.net. 20 IN A 65.121.208.137 > a1015.b.akamai.net. 20 IN A 65.121.208.120 > > I wonder where chinacache.net came from in your case, unless they are using > different CDNs in different parts of the world. Around here, they're using > Akamai EdgeSuite. > > Again, this looks to be standard CNAME chaining, only your query didn't chase > image.dhgate.com.cdn20.com any further. > > > 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to > > be incorrect as well and retries. > > > > proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 > > nscount=3 arcount=3 > > query: www.smilebox.com. A IN > > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. > > additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 > > additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 > > additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 > > > > My question really what are the rules governing CNAME processing in > > BIND and why does Example-1 allowed as valid. > > >From here, this gets: > > % dig www.smilebox.com @8.8.8.8 > [ ... ] > ;; QUESTION SECTION: > ;www.smilebox.com. IN A > > ;; ANSWER SECTION: > www.smilebox.com. 3421 IN CNAME www.g.smilebox.com. > www.g.smilebox.com. 121 IN A 216.218.214.53 > > ...which is a single CNAME pointing to an A record. Are you sure your > "ancount=2" > was really two copies of the same CNAME, rather than a CNAME and A record? > > Regards, > -- > -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
