Mark, Is the first parsing step over both Answer and Additional sections, I was under the impression that "Named" parses the response into RRSets from the Answer section and if there is a CNAME chain both within the same zone it follows the chain as well. But no additional sections are checked for CNAMEs. Is that correct ?
-srinivas On Monday, June 25, 2012 5:53:04 PM UTC-4, Mark Andrews wrote: > In message > <CA+zrinE1sHkojS1fCNdcgZtF-+QQrTkqmRcfXZ1kUiBr=sq...@mail.gmail.com> > , Srinivas Krishnan writes: > > The RFC rules on CNAMEs is fairly tight but I am seeing an increasing > > amount of traffic with misconfigured CNAMEs some of which are accepted > > by BIND as valid responses. The examples capture three trends, note > > these are actual responses: > > Named first parses the response to extract the records into > RRsets. Responses with multiple CNAMES are detected at > this point and get rejected. Named then tries to interpet > the parsed message and once it has seen the CNAME and > associated RRSIGs it stops processing the result and issues > a new query for the target of the CNAME. This is done to > stop the cache being poisoned. > > > 1) Example-1: CNAME in the additional section necessary to finish > > processing of response. BIND accepts this as valid: > > > > proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 > > nscount=6 arcount=7 > > query: after12.failblog.org. A IN > > answer: after12.failblog.org. CNAME IN TTL=3600 > > chzallnighter.wordpress.c > > om. > > answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 > > nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. > > nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. > > additional: chzallnighter.wordpress.com. CNAME IN TTL=300 > > vip-lb.wordpress.com. > > additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 > > additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 > > > > 2) Example-2: Multiple CNAMEs with same label but different data, BIND > > finds this to be incorrect and retries if another nameserver is > > available: > > > > > > proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 > > query: image.dhgate.com. A IN > > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. > > answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. > > nameserver: . NS IN TTL=518400 a.root-servers.net. > > nameserver: . NS IN TTL=518400 b.root-servers.net. > > nameserver: . NS IN TTL=518400 c.root-servers.net. > > > > 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to > > be incorrect as well and retries. > > > > proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 > > nscount=3 arcount=3 > > query: www.smilebox.com. A IN > > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > > answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. > > nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. > > additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 > > additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 > > additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 > > > > > > My question really what are the rules governing CNAME processing in > > BIND and why does Example-1 allowed as valid. > > > > > > -srinivas > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
