[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Bad CNAME treatment consistency beetween direct CNAME request vs A request
From: Mark Andrews <marka () isc ! org>
Date: 2022-05-14 9:46:08
Message-ID: F64F8943-1AE0-49D3-B3CE-CE097BE80497 () isc ! org
[Download RAW message or body]
[Attachment #2 (text/html)]
<html><head></head><body dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;" class="ApplePlainTextBody"><div \
class="ApplePlainTextBody">prefetch will ask for the CNAME but that is in the \
background and shouldn't impact normal resolution. The log however will be \
noisy.<br><br><blockquote type="cite">On 14 May 2022, at 00:02, Ondřej Surý \
<ondrej@isc.org> wrote:<br><br>I think you misdiagnosed the \
issue.<br><br>Nothing asks directly for the CNAME under normal circumstances, \
and<br><br>And IN A query returns:<br><br>$ dig IN A lb.qual.flash-global.net \
@ns-160-c.gandi.net.<br><br>; <<>> DiG \
9.19.0-1+0~20220421.76+debian10~1.gbpa71ef8-Debian <<>> IN A \
lb.qual.flash-global.net @ns-160-c.gandi.net.<br>;; global options: +cmd<br>;; Got \
answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: \
56926<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br>;; \
WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; \
EDNS: version: 0, flags:; udp: 1232<br>;; QUESTION \
SECTION:<br>;lb.qual.flash-global.net.<span class="Apple-tab-span" \
style="white-space:pre"> </span>IN<span class="Apple-tab-span" \
style="white-space:pre"> </span>A<br><br>;; ANSWER \
SECTION:<br>lb.qual.flash-global.net. 10800<span class="Apple-tab-span" \
style="white-space:pre"> </span>IN<span class="Apple-tab-span" \
style="white-space:pre"> </span>CNAME<span class="Apple-tab-span" \
style="white-space:pre"> </span>lb1.qual.flash-global.net.<br>lb1.qual.flash-global.net. \
600<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span \
class="Apple-tab-span" style="white-space:pre"> </span>A<span class="Apple-tab-span" \
style="white-space:pre"> </span>51.68.158.37<br><br>;; Query time: 16 msec<br>;; \
SERVER: 217.70.187.161#53(ns-160-c.gandi.net.) (UDP)<br>;; WHEN: Fri May 13 15:57:49 \
CEST 2022<br>;; MSG SIZE rcvd: 87<br><br>So, there's nothing like "cache \
polution", named correctly caches the records returned by the authoritative \
servers.<br><br>Ondrej<br>--<br>Ondřej Surý (He/Him)<br>ondrej@isc.org<br><br>My \
working hours and your working hours may be different. Please do not feel obligated \
to reply outside your normal working hours.<br><br><blockquote type="cite">On 13. 5. \
2022, at 15:30, Emmanuel Fusté <manu.fuste@gmail.com> \
wrote:<br><br>Hello,<br>I've had a hard time identifying the source of intermittent \
name<br>resolution failure for a customer.<br>The source of the problem is a DNS spec \
violation with a RRSET with<br>multiple CNAME:<br><br>dig @ns-29-b.gandi.net \
CNAME lb.qual.flash-global.net<br><br>; <<>> DiG \
9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> @ns-29-b.gandi.net<br>CNAME \
lb.qual.flash-global.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got \
answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: \
42945<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br>;; \
WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; \
EDNS: version: 0, flags:; udp: 1232<br>;; QUESTION \
SECTION:<br>;lb.qual.flash-global.net. IN \
CNAME<br><br>;; ANSWER \
SECTION:<br>lb.qual.flash-global.net. 10800 IN CNAME \
lb1.qual.flash-global.net.<br>lb.qual.flash-global.net. 10800 IN \
CNAME lb2.qual.flash-global.net.<br><br>;; \
Query time: 10 msec<br>;; SERVER: 213.167.230.30#53(ns-29-b.gandi.net) (UDP)<br>;; \
WHEN: Fri May 13 15:03:00 CEST 2022<br>;; MSG SIZE rcvd: 89<br><br>If I try the \
resolution via my Bind (9.18.2) resolver, cache cold, it<br>properly return a \
SERVFAIL:<br>dig @172.29.0.36 +dnssec +cd CNAME \
lb.qual.flash-global.net<br><br>; <<>> DiG \
9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> @172.29.0.36<br>+dnssec +cd \
CNAME lb.qual.flash-global.net<br>; (1 server found)<br>;; global options: +cmd<br>;; \
Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: \
24053<br>;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: \
1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>; \
COOKIE: 23ac9b539bf16ad001000000627e57c0b7d630e657322232 (good)<br>;; QUESTION \
SECTION:<br>;lb.qual.flash-global.net. IN \
CNAME<br><br>;; Query time: 30 msec<br>;; SERVER: \
172.29.0.36#53(172.29.0.36) (UDP)<br>;; WHEN: Fri May 13 15:06:09 CEST 2022<br>;; MSG \
SIZE rcvd: 81<br><br>because the authoritative answer is correctly identified \
as invalid:<br>named[147998]: FORMERR resolving \
'lb.qual.flash-global.net/CNAME/IN':<br>213.167.230.30#53<br>named[147998]: FORMERR \
resolving 'lb.qual.flash-global.net/CNAME/IN':<br>217.70.187.161#53<br>named[147998]: \
FORMERR resolving 'lb.qual.flash-global.net/CNAME/IN':<br>173.246.100.82#53<br><br>Google \
DNS returns the same.<br><br>If I do a A request, I get an (unexpected in my opinion) \
answer:<br>dig @172.29.0.36 +dnssec +cd A lb.qual.flash-global.net<br><br>; \
<<>> DiG 9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> \
@172.29.0.36<br>+dnssec +cd A lb.qual.flash-global.net<br>; (1 server found)<br>;; \
global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, \
status: NOERROR, id: 26546<br>;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: \
0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: \
1232<br>; COOKIE: b5755aa921e65a4401000000627e58a481dbcf3655737b6b (good)<br>;; \
QUESTION SECTION:<br>;lb.qual.flash-global.net. IN \
A<br><br>;; ANSWER \
SECTION:<br>lb.qual.flash-global.net. 10800 IN CNAME \
lb1.qual.flash-global.net.<br>lb.qual.flash-global.net. 10800 IN \
RRSIG CNAME 13 4 10800<br>20220526000000 \
20220505000000 57605 \
flash-global.net.<br>NVDmeCSKkx998LRnmiB6hWz4PdZJ5WPG6CCrDTSP587pLUxxoxeNlCmJ<br>l8l0p8/l8o+ZmZr1EXqxUA1FXpGbGw==<br>lb1.qual.flash-global.net. \
600 IN A \
51.68.158.37<br>lb1.qual.flash-global.net. 600 \
IN RRSIG A 13 4 600<br>20220526000000 \
20220505000000 57605 \
flash-global.net.<br>G1YUaDtWVGxj5NbA18crQ912tW/VWra49wi3U1EeRio9kId+2mwo7Vuj<br>GH8adlvvjQyps7IBtj9gYVmbewN+GQ==<br><br>;; \
Query time: 30 msec<br>;; SERVER: 172.29.0.36#53(172.29.0.36) (UDP)<br>;; WHEN: Fri \
May 13 15:09:57 CEST 2022<br>;; MSG SIZE rcvd: 339<br><br>Google DNS do \
the same<br><br>BUT<br><br>Now on my side I have cache pollution as a new CNAME \
request give me<br><br>dig @172.29.0.36 +dnssec +cd CNAME \
lb.qual.flash-global.net<br><br>; <<>> DiG \
9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> @172.29.0.36<br>+dnssec +cd \
CNAME lb.qual.flash-global.net<br>; (1 server found)<br>;; global options: +cmd<br>;; \
Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: \
42637<br>;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: \
1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>; \
COOKIE: ea748ef065e32df101000000627e59947b2e1424679d72f2 (good)<br>;; QUESTION \
SECTION:<br>;lb.qual.flash-global.net. IN \
CNAME<br><br>;; ANSWER \
SECTION:<br>lb.qual.flash-global.net. 10560 IN CNAME \
lb1.qual.flash-global.net.<br>lb.qual.flash-global.net. 10560 IN \
RRSIG CNAME 13 4 10800<br>20220526000000 \
20220505000000 57605 \
flash-global.net.<br>NVDmeCSKkx998LRnmiB6hWz4PdZJ5WPG6CCrDTSP587pLUxxoxeNlCmJ<br>l8l0p8/l8o+ZmZr1EXqxUA1FXpGbGw==<br><br>;; \
Query time: 20 msec<br>;; SERVER: 172.29.0.36#53(172.29.0.36) (UDP)<br>;; WHEN: Fri \
May 13 15:13:56 CEST 2022<br>;; MSG SIZE rcvd: 211<br><br>until I issue a rndc \
flush command.<br>This cache pollution is bad and seems to not happen on the google \
side<br>(but there are many DNS behind 8.8.8.8).<br><br>I would have expected a \
SERVFAIL/FORMERR in the A request case. Even<br>if I could understand a conservative \
approach from the Google side, I<br>don't buy it for Bind and expect a configuration \
directive to reject<br>it.<br>If this (the A case) is an expected behavior for Bind, \
I think that<br>the cache pollution is not and should be fixed.<br><br>am I wrong \
?<br><br>The question of whether Gandi should correct the fact of being<br>able/allow \
to declare several CNAMEs on an entry and how to contact<br>them to fix this is more \
a question for dns-operation.<br><br>Emmanuel.<br>--<br>Visit \
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this \
list<br><br>ISC funds the development of this software with paid support \
subscriptions. Contact us at https://www.isc.org/contact/ for more \
information.<br><br><br>bind-users mailing \
list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></blockquote><br>-- \
<br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this \
list<br><br>ISC funds the development of this software with paid support \
subscriptions. Contact us at https://www.isc.org/contact/ for more \
information.<br><br><br>bind-users mailing \
list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></blockquote><br>-- \
<br>Mark Andrews, ISC<br>1 Seymour St., Dundas Valley, NSW 2117, Australia<br>PHONE: \
+61 2 9871 4742 INTERNET: \
marka@isc.org<br><br></div></body></html>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact \
us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic