NODATA type 3 with CNAME - DNS

This is a discussion on NODATA type 3 with CNAME - DNS ; Hi Can someone clarify for me the section in RFC 2308 on type 3 NODATA responses when there is a CNAME? The RFC shows an example where the response is a NOERROR with 0 answers, 0 authorities and 0 additionals, ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: NODATA type 3 with CNAME

  1. NODATA type 3 with CNAME

    Hi

    Can someone clarify for me the section in RFC 2308 on type 3 NODATA
    responses when there is a CNAME?

    The RFC shows an example where the response is a NOERROR with 0 answers,
    0 authorities and 0 additionals, indicating that this is a type 3 NODATA
    response, and then goes on to say that a CNAME could also be included,
    "in which case it would be the value of the last CNAME for which NODATA
    would be concluded."

    The reason for my question is that all 4 of the authoritative
    nameservers for news.bbc.co.uk respond with what looks to me like a type
    3 NODATA response, but clearly news.bbc.co.uk is very popular and works
    well.

    $ dig news.bbc.co.uk @212.58.224.21
    ; <<>> DiG 9.3.4-P1.1 <<>> news.bbc.co.uk @212.58.224.21
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12148
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;news.bbc.co.uk. IN A

    ;; ANSWER SECTION:
    news.bbc.co.uk. 3600 IN CNAME newswww.bbc.net.uk.

    ;; Query time: 25 msec
    ;; SERVER: 212.58.224.21#53(212.58.224.21)
    ;; WHEN: Sat Aug 2 01:11:13 2008
    ;; MSG SIZE rcvd: 62

    Thanks

    James


  2. Re: NODATA type 3 with CNAME

    In article , James Ponder
    wrote:

    > Hi
    >
    > Can someone clarify for me the section in RFC 2308 on type 3 NODATA
    > responses when there is a CNAME?
    >
    > The RFC shows an example where the response is a NOERROR with 0 answers,
    > 0 authorities and 0 additionals, indicating that this is a type 3 NODATA
    > response, and then goes on to say that a CNAME could also be included,
    > "in which case it would be the value of the last CNAME for which NODATA
    > would be concluded."
    >
    > The reason for my question is that all 4 of the authoritative
    > nameservers for news.bbc.co.uk respond with what looks to me like a type
    > 3 NODATA response, but clearly news.bbc.co.uk is very popular and works
    > well.


    What's the problem? The server is authoritative for the bbc.co.uk
    domain, but not for bbc.net.uk, and has recursion disabled, so it can't
    resolve the CNAME. The client nameserver restarts its query using the
    target of the CNAME.

    >
    > $ dig news.bbc.co.uk @212.58.224.21
    > ; <<>> DiG 9.3.4-P1.1 <<>> news.bbc.co.uk @212.58.224.21
    > ; (1 server found)
    > ;; global options: printcmd
    > ;; Got answer:
    > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12148
    > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    >
    > ;; QUESTION SECTION:
    > ;news.bbc.co.uk. IN A
    >
    > ;; ANSWER SECTION:
    > news.bbc.co.uk. 3600 IN CNAME newswww.bbc.net.uk.
    >
    > ;; Query time: 25 msec
    > ;; SERVER: 212.58.224.21#53(212.58.224.21)
    > ;; WHEN: Sat Aug 2 01:11:13 2008
    > ;; MSG SIZE rcvd: 62
    >
    > Thanks
    >
    > James


    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


  3. Re: NODATA type 3 with CNAME

    On Fri, Aug 01, 2008 at 11:54:09PM -0400, Barry Margolin wrote:
    > > Can someone clarify for me the section in RFC 2308 on type 3 NODATA
    > > responses when there is a CNAME?
    > >
    > > The RFC shows an example where the response is a NOERROR with 0 answers,
    > > 0 authorities and 0 additionals, indicating that this is a type 3 NODATA
    > > response, and then goes on to say that a CNAME could also be included,
    > > "in which case it would be the value of the last CNAME for which NODATA
    > > would be concluded."
    > >
    > > The reason for my question is that all 4 of the authoritative
    > > nameservers for news.bbc.co.uk respond with what looks to me like a type
    > > 3 NODATA response, but clearly news.bbc.co.uk is very popular and works
    > > well.

    >
    > What's the problem? The server is authoritative for the bbc.co.uk
    > domain, but not for bbc.net.uk, and has recursion disabled, so it can't
    > resolve the CNAME. The client nameserver restarts its query using the
    > target of the CNAME.


    I guess perhaps the problem is RFC 2308 was written in the days before
    bailiwick checks.

    So, would you say the correct algorithm to detect a NODATA in this
    situation is to check if the value of the last CNAME is in-bailiwick or
    not? If it's in-bailiwick then it's a type 3 NODATA, if it's outside
    then the nameserver will restart the query with the traget?

    Likewise, in the case of
    bailiwick bbc.co.uk, NOERROR, 2 ans, 0 auth, 0 add
    lookup news.bbc.co.uk type A
    Answer 1: news.bbc.co.uk CNAME something.else
    Answer 2: something.else CNAME news2.bbc.co.uk

    Would I be correct in saying a resolver should not accept this as a type
    3 NODATA and should ignore the out-of-bailiwick second CNAME, and
    restart using the target of the first CNAME?

    Thanks for your help.

    James


  4. Re: NODATA type 3 with CNAME

    James Ponder writes:

    > I guess perhaps the problem is RFC 2308 was written in the days before
    > bailiwick checks.


    not at all. but baliwick used to mean "glue had to be related" and that
    "authority had to be between initiator's zone cut and responder's zone cut."

    > So, would you say the correct algorithm to detect a NODATA in this
    > situation is to check if the value of the last CNAME is in-bailiwick or
    > not? If it's in-bailiwick then it's a type 3 NODATA, if it's outside
    > then the nameserver will restart the query with the traget?


    i believe kaminsky has shown us that no answer whose owner name does not
    match the question name, even if it appears to be within the same zone,
    should be cached. so, at a minimum, to your question above, i say yes.

    > Likewise, in the case of
    > bailiwick bbc.co.uk, NOERROR, 2 ans, 0 auth, 0 add
    > lookup news.bbc.co.uk type A
    > Answer 1: news.bbc.co.uk CNAME something.else
    > Answer 2: something.else CNAME news2.bbc.co.uk
    >
    > Would I be correct in saying a resolver should not accept this as a type
    > 3 NODATA and should ignore the out-of-bailiwick second CNAME, and
    > restart using the target of the first CNAME?


    yes.

    and on a properly paranoid caching resolver, it takes 4 transactions to
    build the following (and in this case you can see a difference in TTLs):

    ;; ANSWER SECTION:
    www.microsoft.com. 3599 IN CNAME toggle.www.ms.akadns.net.
    toggle.www.ms.akadns.net. 299 IN CNAME g.www.ms.akadns.net.
    g.www.ms.akadns.net. 299 IN CNAME lb1.www.ms.akadns.net.
    lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
    lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
    lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
    lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
    lb1.www.ms.akadns.net. 300 IN A 65.55.21.250
    --
    Paul Vixie

    --
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.



  5. Re: NODATA type 3 with CNAME

    On Sat, Aug 02, 2008 at 12:37:31PM +0000, Paul Vixie wrote:
    > i believe kaminsky has shown us that no answer whose owner name does not
    > match the question name, even if it appears to be within the same zone,
    > should be cached. so, at a minimum, to your question above, i say yes.

    ....
    > and on a properly paranoid caching resolver, it takes 4 transactions to
    > build the following (and in this case you can see a difference in TTLs):
    >
    > ;; ANSWER SECTION:
    > www.microsoft.com. 3599 IN CNAME toggle.www.ms.akadns.net.
    > toggle.www.ms.akadns.net. 299 IN CNAME g.www.ms.akadns.net.
    > g.www.ms.akadns.net. 299 IN CNAME lb1.www.ms.akadns.net.
    > lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
    > lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
    > lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
    > lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
    > lb1.www.ms.akadns.net. 300 IN A 65.55.21.250


    That's a nice case, thanks for pointing it out.

    Unless I'm mistaken (using tcpdump) bind (9.5.0-P1) does this in 3
    transactions:
    1. initial query for www.microsoft.com stopping at the CNAME toggle
    2. query for toggle from akadns.net nameservers, stopping at lb1
    3. query for lb1

    It appears to process the two CNAMEs on akadns.net together, so there's
    never a request relating to g.www.ms.akadns.net.

    I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it
    asked about toggle.www.ms.akadns.net and yet not accept the A records
    for lb1.www.ms.akadns.net at the same time?

    I'm also not seeing the rationale behind not accepting the whole chain
    from toggle down to the A records - we know we're talking to the
    akadns.net authoritative nameserver after all. Isn't it being overly
    paranoid rather than properly paranoid?

    Thanks for your help.

    James


  6. Re: NODATA type 3 with CNAME

    James Ponder writes:

    >> ;; ANSWER SECTION:
    >> www.microsoft.com. 3599 IN CNAME toggle.www.ms.akadns.net.
    >> toggle.www.ms.akadns.net. 299 IN CNAME g.www.ms.akadns.net.
    >> g.www.ms.akadns.net. 299 IN CNAME lb1.www.ms.akadns.net.
    >> lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
    >> lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
    >> lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
    >> lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
    >> lb1.www.ms.akadns.net. 300 IN A 65.55.21.250

    >
    > That's a nice case, thanks for pointing it out.
    >
    > Unless I'm mistaken (using tcpdump) bind (9.5.0-P1) does this in 3
    > transactions:
    > 1. initial query for www.microsoft.com stopping at the CNAME toggle
    > 2. query for toggle from akadns.net nameservers, stopping at lb1
    > 3. query for lb1
    >
    > It appears to process the two CNAMEs on akadns.net together, so there's
    > never a request relating to g.www.ms.akadns.net.


    yes.

    > I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it
    > asked about toggle.www.ms.akadns.net and yet not accept the A records
    > for lb1.www.ms.akadns.net at the same time?


    in my story about the history of thinking about baliwick, i left out the middle
    part (which ends at the dawn of the kaminsky era) where it was believed that
    a same-parent-zone CNAME chain was OK to cache as long as you restarted your
    transaction at the terminus of that chain. at home i don't have to wait for
    IETF to catch up, i can be as paranoid as i want to me. at work (in BIND) we
    try very hard not to get ahead of the standards process on controversial
    issues. we (ISC) are an instrument of the community, and we work within it.

    > I'm also not seeing the rationale behind not accepting the whole chain
    > from toggle down to the A records - we know we're talking to the
    > akadns.net authoritative nameserver after all. Isn't it being overly
    > paranoid rather than properly paranoid?


    yes, it is, but who knew until now?
    --
    Paul Vixie

    --
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.



  7. Re: NODATA type 3 with CNAME

    At Sat, 2 Aug 2008 17:21:31 +0100,
    James Ponder wrote:

    > I'm confused why Bind would accept the g.www.ms.akadns.net CNAME when it
    > asked about toggle.www.ms.akadns.net and yet not accept the A records
    > for lb1.www.ms.akadns.net at the same time?
    >
    > I'm also not seeing the rationale behind not accepting the whole chain
    > from toggle down to the A records - we know we're talking to the
    > akadns.net authoritative nameserver after all. Isn't it being overly
    > paranoid rather than properly paranoid?


    If I understand the correctly, this is because Section 5.4.1 of
    RFC2181. Specifically, the following part:

    Note that the answer section of an authoritative answer normally
    contains only authoritative data. However when the name sought is an
    alias (see section 10.1.1) only the record describing that alias is
    necessarily authoritative. Clients should assume that other records
    may have come from the server's cache. Where authoritative answers
    are required, the client should query again, using the canonical name
    associated with the alias.

    ---
    JINMEI, Tatuya
    Internet Systems Consortium, Inc.


+ Reply to Thread