Re: [DNSOP] RFC2317 Question: Resolving cname delegation

Sat, 26 Aug 2017 11:24:10 -0700 

On 8/24/2017 12:06 PM, Vladimír Čunát wrote:

Hello.

On 08/24/2017 05:46 PM, Hector Santos wrote:

[...] Not expecting this in my DNS resolver code, I modified the
resolver to take the CNAMEs into account and return the host names
instead.  Was this the correct thing to do, thus providing the same
results regardless of the query location? [...]


I can't see any hint in RFC2317 that resolvers should/could change the
data they obtain from upstream, even if just "expand CNAMEs" (and it's
only BCP RFC anyway).  In particular, if the particular zone is covered
by DNSSEC, you may trigger validation errors by that.
You're right. But I believe it does allude to potential problems and confusion.
As I study this more, the issue is this old RFC promoted unexpected cname for the qname in PTR results. My ISP is using it for delegating our new /27 segment of ips. 

The direct DNS server authoritive response is:

qname                  qtype   data
d.c.b.a.in-addr.arpa   PTR     host1
d.c.b.a.in-addr.arpa   PTR     host2
..
d.c.b.a.in-addr.arpa   PTR     hostN

The non-authoritive response is:

qname                  qtype   data
d.c.b.a.in-addr.arpa   CNAME   d.X.c.b.a.in-addr.arpa
d.X.c.b.a.in-addr.arpa PTR     host1
d.X.c.b.a.in-addr.arpa PTR     host2
..
d.X.c.b.a.in-addr.arpa PTR     hostN

Where X is the the first IP in the delegated IP range.
Although my resolver will only return the requested PTR records, the record.name field will contain the cname. I am still studying the impact. The exploratory change in the resolver was to basically compare the name field with the qname, and set it to the qname if different. That way the clients will get the same expected results. I don't think its any different when A->CNAME->A operations is done and cached.
It does not seem its going to be a impact on my SMTP clients/senders that could be setup to dynamically obtain the EHLO/HELO hostname by extracting the first record in a PTR lookup. But it could be an impact on incoming SMTP filter scripts that could be setting a PTR requirement. Not sure.
It does seem safe, for our system compatibility, to make it consistent. In my opinion, the delegation CNAME is meta-data and it should be passive in the query results. 

Thanks for the heads up.

--
HLS


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to