Re: Order of CNAME and A in Authoritative Reply.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Joe,

> Paraphrasing with more detail, a query with RD=0, QTYPE=A and some
> QNAME is sent to an authoritative server. The corresponding owner name
> is a CNAME, with some target, and the target owner name has an A RRSet
> associated with it. The authoritative server responds with both the
> CNAME and the A RRSet in the ANSWER section, if it is able to include
> both elements authoritatively (i.e. it's authoritative for the target
> owner name).

Agreed, and thanks for the precision.

> The question is whether there is a specified order for the different
> RRSets present in the ANSWER section of the response, and the answer
> seems to be no.

AFAIK.  An additional quote I forgot before that has come up when
discussing this off list:

    https://tools.ietf.org/html/rfc1034#section-3.6

    A domain name identifies a node.  Each node has a set of resource
    information, which may be empty.  The set of resource information
    associated with a particular name is composed of separate resource
    records (RRs).  The order of RRs in a set is not significant, and
    need not be preserved by name servers, resolvers, or other parts of
    the DNS.

(Note, this RFC pre-dates RRsets.)  Although it say "order is not
significant" that's only for those associated with a particular name,
i.e. all the A RRs for foo.com, as I read it.

> > BIND/named seems to have done the obvious from early on, appending
> > the CNAME to the reply, and then appending the A.  Clients have come
> > to depend on this behaviour, assuming on seeing the CNAME that they
> > can switch horses to the CNAME's value and continue processing the
> > packet from that point.
>
> What clients are you talking about, here?

Well, ping(1), say, using glibc's resolver.

> > DNS servers that don't follow this unwritten convention thus break
> > some of the many and varied clients that already exist.
>
> Can you support this with data?

There's the 50%-round-robin-ping failure I mentioned before.  Examining
other stub resolvers showed glibc isn't alone in its assumption.

> > An ad hoc survey of clients...
> >
> >   4.3BSD's named built the reply in the obvious (CNAME, A) order,
> >   and its client expected the same.
>
> I'm not sure the behaviour of obsolete versions of BIND is especially
> relevant, although the history is interesting.

Well, I was wondering how far back parsers of replies could have been
lead to believe a certain order was guaranteed.

> >   glibc and dietlibc both expect (CNAME, A).
>
> Neither of those are generally clients of authoritative servers, I
> think.
>
> >   uclibc stops on seeing the CNAME, sending another request!  But it
> >   means it happens to `work' with (A, CNAME).
>
> This isn't a client of an authoritative server either.
>
> >   Finally Go came along in 2008, probably influenced by Plan 9's
> >   implementation, though I haven't checked that.  It alters what it
> >   wants on seeing the CNAME, and restarts parsing the whole packet.
>
> Go the programming language? I'm confused as to how that's a client of
> an authoritative server, either.

Go implements its own resolver rather than use the local libc's, e.g.
glibc's.  All of them are stub resolvers, yes, but if asked to look up
foo.bar.local and /etc/resolv.conf has only the authoritative bar.local
server in it then they get an authoritative response without a
third-party recursive resolver being involved.

> Is it possible that you're actually talking about the behaviour of
> recursive servers when returning responses to stub resolvers?

No, not in this case.  Let's say I was, if the MITM recursive resolver
knew nothing, queried the authority and got (A, CNAME) back in the one
reply, is it defined that it's responsible for passing that back to the
stub in a particular order, e.g. (CNAME, A)?

Cheers, Ralph.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]