[Pdns-users] CNAME/Wildcard problem - why you should care.

Augie Schwer augie.schwer at gmail.com
Thu Aug 2 22:04:36 UTC 2007 

On 8/1/07, Chris Seufert <chris at shopa.com.au> wrote:
> Does this problem come into play when the client who is trying to
> resolve the domain name is sitting on a IPv6 network, or does it have
> the potential to happen with any IPv6 aware resolver. (ie has IPv4
> address, but is IPv6 capable).

It happens any time a resolver makes a request for a resource record
(AAAA, CNAME, etc.) that does not exist on a query domain
(secure.example.com), and there is a wild card that points to a CNAME.

For example the resolver could ask for a CNAME of secure.example.com
and since there is no answer for that PowerDNS answers with the wild
card info. it has; which your recursor could cache and give you the
same problem.

> Just a thought, but instead of using a wildcard CNAME, perhaps you could
> use a wildcard A record, this does seem to alleviate the problem, but
> its not fixing the problem thou.

Sure that's a one off solution, but when you are talking about
thousands of domains, then it really isn't a solution.

> I see a bigger problem with a lookup
> AAAA records our installation.
> # host -t AAAA www.thewebdesigner.com.au fred.shopa.com.au
> www.thewebdesigner.com.au       CNAME   dsl.thewebdesigner.com.au
> dsl.thewebdesigner.com.au       CNAME   dsl.thewebdesigner.com.au
> ...
> dsl.thewebdesigner.com.au       CNAME   dsl.thewebdesigner.com.au
> dsl.thewebdesigner.com.au       CNAME   dsl.thewebdesigner.com.au
> Possible CNAME loop
> That seems to be as bad, if not worse, as the problem your describing.

That looks a bit like the other bug I submitted along these lines:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124

You'll note that PowerDNS answers with a response code of ServFail but
also populates the Answer section; which is unclear to me whether
that's really OK or not. See my dig below for details:

[augie at augnix ~]$ dig aaaa www.thewebdesigner.com.au
@fred.shopa.com.au +norecurse

; <<>> DiG 9.4.1 <<>> aaaa www.thewebdesigner.com.au
@fred.shopa.com.au +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30963
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.thewebdesigner.com.au.     IN      AAAA

;; ANSWER SECTION:
www.thewebdesigner.com.au. 10800 IN     CNAME   dsl.thewebdesigner.com.au.
dsl.thewebdesigner.com.au. 10800 IN     CNAME   dsl.thewebdesigner.com.au.

;; AUTHORITY SECTION:
thewebdesigner.com.au.  10800   IN      SOA     ns1.shopa.com.au.
hostmaster.shopa.com.au. 20275 10800 3600 604800 3600


-- 
Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072

More information about the Pdns-users mailing list