On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote:
On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote:
On 10.09.14 18:13, Kevin Darcy wrote:
No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?

Completely your decision.
Some people will point it at example.com, some will point it at www.example.com. What you get is a mish-mosh. No consistency.

Do not mix multiple A and PTR. they are just different things.
You are creating issues where there are none.

On 11.09.14 11:20, Kevin Darcy wrote:
The issue is consistency. If you give admins choices where to point a PTR, and the RFCs don't provide any clear guidance, you're going to get inconsistent results.

sorry, but again - you are searching for consistency somewhere, where no
consistency (nor a PTR) is required.

Consistency is a good thing, isn't it? Sure, the earth isn't going to fall off its axis of rotation just because of the way people point their A and PTR records, CNAME or don't CNAME. But if we can nudge people in the direction of consistency, and there is no downside, why wouldn't we do that? That's what "best practices" are all about -- impelling people towards processes/methods/conventions that ultimately benefit *everyone*. Greatest good for the greatest number, and all that.

I haven't met a case where this level of "consistency" would be needed.
Needed? Is that where you're setting the bar here? A little too high, I'd say. My point is that consistency is a good thing, and the "CNAME to @" practice helps to foster that. Whether it's *needed* would be a whole other question. Somewhere between "necessary" and (what Alan called) "preferences" are these things called recommendations or best practices.


I have met a case where the "only one A should point to an IP" caused
troubles.
Well, sure. Some names, such as zone-apex names, *cannot* own CNAME records. If example1.com and example2.com need to resolve to the same IP, then, and assuming they are both zone-apex names, you're going to have multiple As with the same RDATA, and a reverse-record ambiguity. That's unavoidable. All I'm saying, is that in the normal case, where you have an option, "CNAME to @" makes a lot of sense and should be followed.

your argument fails immediately when there's need for more than just A on
www.example.com
If the RDATA needs to be *different* between "www" and apex, or the application/subsystem which accesses the resource makes a distinction between canonical names and aliases, sure. I'm not laying down a hard-and-fast rule. Of course there will be exceptions, where the higher-level protocols or the user requirements demand it.

(Yes, I'm aware that there was a proposal recently discussed on the DNSOP list for an MX-target convention to denote "no mail service offered here". That would presumably solve the problem I cited in the previous paragraph. But AFAIK that proposal is many years away from widespread adoption, and even if adopted, it puts an extra burden on the DNS admins to populate the "no service" MX record, which, again, is going to produce inconsistent results -- some admins will remember to do it; many won't).

... and this is just example of it.
An example of what? Of what bad things can happen when (semi-)important things are left to mere "preference"?

The same applies for all other RRs for exmaple.com Alan named crap.

Actually, the only other RR type that Alan enumerated specifically was NS, which operates on entirely different principles, and serves a significantly different function, than MX-based mail routing. Who would be looking up www.example.com with QTYPE=NS? Is that even a plausible use-case scenario?

well, me and Alan have shown examples why "www CNAME @" is not a good idea.
Alan's concern was that the "www" name could get associated with record types that the DNS admin might not have expected. This is not a problem for a competent admin, who will have realistic expectations and an understanding of CNAME mechanics. You raised the possibility that a mail server might reject messages sent erroneously to "www" and I responded that if it's going to fail anyway, at least that failure mode is better than a mail server trying to deliver mail to a web server (which is what happens in the same scenario when "www" is an independent A record).

You got anything else?

we both also said it's personal preference.
And I'm saying that's a cop-out. It should be a recommended practice -- except where there are special mitigating circumstances which make it inappropriate or unworkable -- not merely a "preference". Hair styles and musical genres are "preferences"; encouraging consistent forward/reverse mappings is something that all DNS admins have a stake in, whether they realize it or not.


What other RR types do you have in mind?

Does it matter at all? It _may_ happen, and it's the case where CNAME is
not usable
It's not usable where it's not usable, of course. But, where it *is* usable, I'm just saying it's recommended, in order to prevent reverse-record ambiguity, and to reduce maintenance in the event that the IP address changes. Did you seriously think I'd recommend something that *doesn't*work*? Please, give me a little more credit than that.

        - Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to