On 8/24/2017 12:06 PM, Vladimír Čunát wrote:
Hello.
On 08/24/2017 05:46 PM, Hector Santos wrote:
[...] Not expecting this in my DNS resolver code, I modified the
resolver to take the CNAMEs into account and return the host names
instead. Was this the correct thing to do, thus providing the same
results regardless of the query location? [...]
I can't see any hint in RFC2317 that resolvers should/could change the
data they obtain from upstream, even if just "expand CNAMEs" (and it's
only BCP RFC anyway). In particular, if the particular zone is covered
by DNSSEC, you may trigger validation errors by that.
You're right. But I believe it does allude to potential problems and
confusion.
As I study this more, the issue is this old RFC promoted unexpected
cname for the qname in PTR results. My ISP is using it for delegating
our new /27 segment of ips.
The direct DNS server authoritive response is:
qname qtype data
d.c.b.a.in-addr.arpa PTR host1
d.c.b.a.in-addr.arpa PTR host2
..
d.c.b.a.in-addr.arpa PTR hostN
The non-authoritive response is:
qname qtype data
d.c.b.a.in-addr.arpa CNAME d.X.c.b.a.in-addr.arpa
d.X.c.b.a.in-addr.arpa PTR host1
d.X.c.b.a.in-addr.arpa PTR host2
..
d.X.c.b.a.in-addr.arpa PTR hostN
Where X is the the first IP in the delegated IP range.
Although my resolver will only return the requested PTR records, the
record.name field will contain the cname. I am still studying the
impact. The exploratory change in the resolver was to basically
compare the name field with the qname, and set it to the qname if
different. That way the clients will get the same expected results.
I don't think its any different when A->CNAME->A operations is done
and cached.
It does not seem its going to be a impact on my SMTP clients/senders
that could be setup to dynamically obtain the EHLO/HELO hostname by
extracting the first record in a PTR lookup. But it could be an
impact on incoming SMTP filter scripts that could be setting a PTR
requirement. Not sure.
It does seem safe, for our system compatibility, to make it
consistent. In my opinion, the delegation CNAME is meta-data and it
should be passive in the query results.
Thanks for the heads up.
--
HLS
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop