IETF Logo Mail Archive

[dnsext] DNAME with exceptions - work-around found

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 10 September 2010 20:39 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDCF93A682A; Fri, 10 Sep 2010 13:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[AWL=1.704, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, NORMAL_HTTP_TO_IP=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM2Vptj2cyDm; Fri, 10 Sep 2010 13:39:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 861C33A6AF2; Fri, 10 Sep 2010 13:39:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OuAIv-0008aw-Jx for namedroppers-data0@psg.com; Fri, 10 Sep 2010 20:34:37 +0000
Received: from mail-fx0-f52.google.com ([209.85.161.52]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <brian.peter.dickson@gmail.com>) id 1OuAIr-0008aX-1h for namedroppers@ops.ietf.org; Fri, 10 Sep 2010 20:34:33 +0000
Received: by fxm13 with SMTP id 13so2349794fxm.11 for <namedroppers@ops.ietf.org>; Fri, 10 Sep 2010 13:34:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=+1Ax8Wy+9YfdhXx4U6Q3TSXCboGM7boWcaZUPKx2zwM=; b=bQIAqew7POwp3AKVfdYsHIXgN+tarl7lPMjE0tu//CYymZoYZAl0vUEnTSMMBX781I E6VJzMS0Ms8r9GkmdAMlENEI539O81tkU9UqsfpVNRT5V8+wbpci9eJqLH1NxO32mj/Q CRb7gB0EEC+bbakoO1146vFaKUEd7YmA0laGo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Tlop8hS1bB4K54N7Q13CTz8rcRmoEYokAN4G0CytzaTcrhwPChavcU57GjcuahBswB xSd/8HQ4zZ7GhtvurovcdtKa9iQqkNxyRjJPm0WcGs4RCQv3AJavn2+6oqiIV7ZX67n/ ChbXcxkSMxEx9Y152XEsDJ0LwQV/LqZeyLE40=
MIME-Version: 1.0
Received: by 10.223.126.67 with SMTP id b3mr843947fas.50.1284150871001; Fri, 10 Sep 2010 13:34:31 -0700 (PDT)
Received: by 10.223.109.13 with HTTP; Fri, 10 Sep 2010 13:34:30 -0700 (PDT)
Date: Fri, 10 Sep 2010 17:34:30 -0300
Message-ID: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com>
Subject: [dnsext] DNAME with exceptions - work-around found
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001636c5a8ad810b4c048fedac74"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I've been giving more thought to the issue of DNAME vs "exceptions", and
checked both RFC 2672, and the current draft 2672-bis.

The following is *technically* allowed, and *definitely* evil.

But, at least in the current latest bind implementation I've checked (bind
9.7.1-P2), it actually works, with no modifications to the protocol or the
code.

Which means, if folks agree that this is a reasonable hack to allow use of,
it may be possible to implement all the desired features and functions for
"the same" using just a slightly-modified SHADOW.
(And suitable additional discussion in 2672-bis, for which if needed I am
willing to supply text.)

Here's the trick - on the authority server, serve up more-specific zone(s)
as needed, whose owner would have been a descendant of one of the DNAMEs
used to make things "the same".

Being "deeper" in the tree, it is found first. And not being in the same
zone, it is technically allowed, although strongly discouraged (SHOULD NOT
is the language in -bis).


So, the modifications to SHADOW would be:
Place exceptions in per-SHADOW-zone more-specific zones (generating the zone
files and conf files as needed)
Normal SHADOW zones consist of apex copies of Amber apex, plus DNAME of
Amber zone (per the previous suggestion, was it Olaf?)
(Delegations to signed SHADOW zones might not handle "exceptions" properly,
or at all, or some additional fix-ups may make them possible.)

Brian


Here's an example of it in use (apologies for the bind-specific bits):

/etc/named.conf (relevant bits anyway):

zone "foo.example.com" IN {
    type master;
    file "foo.example.zone";
    allow-update { none; };
    };

zone "bar.example.com" IN {
    type master;
    file "bar.example.zone";
    allow-update { none; };
    };

zone "bar.foo.example.com" IN {
    type master;
    file "bar.foo.example.zone";
    allow-update { none; };
    };


file bar.example.zone:

$TTL    86400
$ORIGIN bar.example.com.
@            1D IN SOA    @ root (
                    42        ; serial (d. adams)
                    3H        ; refresh
                    15M        ; retry
                    1W        ; expiry
                    1D )        ; minimum

            1D IN NS    ns1.bar.example.com.
ns1.bar.example.com.    1D IN A        127.0.0.1 ;glue record
foo            1D IN TXT    "foo.bar.example.com is what is in the zone.
Where did you find this record?"
bar            1D IN TXT    "bar.bar.example.com is what is in the zone.
Where did you find this record?"
foo.bar            1D IN TXT    "foo.bar.bar.example.com is what is in the
zone. Where did you find this record?"


file bar.foo.example.zone:

$TTL    86400
$ORIGIN bar.foo.example.com.
@                1D IN SOA    @ root (
                    42        ; serial (d. adams)
                    3H        ; refresh
                    15M        ; retry
                    1W        ; expiry
                    1D )        ; minimum

                1D IN NS    ns1.bar.foo.example.com.
ns1.bar.foo.example.com.    1D IN A        127.0.0.1 ;glue record
foo                1D IN TXT    "foo.bar.foo.example.com is what is in the
zone. Where did you find this record?"


file foo.example.zone:

$TTL    86400
$ORIGIN foo.example.com.
@            1D IN SOA    @ root (
                    42        ; serial (d. adams)
                    3H        ; refresh
                    15M        ; retry
                    1W        ; expiry
                    1D )        ; minimum

            1D IN NS    ns1.foo.example.com.
            1D IN DNAME    bar.example.com.
ns1.foo.example.com.    1D IN A        127.0.0.1 ;glue record
foo            1D IN TXT    "foo.foo.example.com is what is in the zone.
Where did you find this record?"
bar            1D IN TXT    "bar.foo.example.com is what is in the zone.
Where did you find this record?"
foo.bar            1D IN TXT    "foo.bar.foo.example.com is what is in the
zone. Where did you find this record?"
; NB - the above are, if present, occluded by the DNAME.


And the results:

bash-3.2# dig @127.0.0.1 TXT foo.foo.example.com

; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.foo.example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64694
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;foo.foo.example.com.        IN    TXT

;; ANSWER SECTION:
foo.example.com.    86400    IN    DNAME    bar.example.com.
foo.foo.example.com.    0    IN    CNAME    foo.bar.example.com.
foo.bar.example.com.    86400    IN    TXT    "foo.bar.example.com is what
is in the zone. Where did you find this record?"

;; AUTHORITY SECTION:
bar.example.com.    86400    IN    NS    ns1.bar.example.com.

;; ADDITIONAL SECTION:
ns1.bar.example.com.    86400    IN    A    127.0.0.1

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 10 17:24:05 2010
;; MSG SIZE  rcvd: 206

bash-3.2# dig @127.0.0.1 TXT foo.bar.example.com

; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.bar.example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38887
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;foo.bar.example.com.        IN    TXT

;; ANSWER SECTION:
foo.bar.example.com.    86400    IN    TXT    "foo.bar.example.com is what
is in the zone. Where did you find this record?"

;; AUTHORITY SECTION:
bar.example.com.    86400    IN    NS    ns1.bar.example.com.

;; ADDITIONAL SECTION:
ns1.bar.example.com.    86400    IN    A    127.0.0.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 10 17:24:18 2010
;; MSG SIZE  rcvd: 159

bash-3.2# dig @127.0.0.1 TXT foo.bar.foo.example.com

; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.bar.foo.example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36569
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;foo.bar.foo.example.com.    IN    TXT

;; ANSWER SECTION:
foo.bar.foo.example.com. 86400    IN    TXT    "foo.bar.foo.example.com is
what is in the zone. Where did you find this record?"

;; AUTHORITY SECTION:
bar.foo.example.com.    86400    IN    NS    ns1.bar.foo.example.com.

;; ADDITIONAL SECTION:
ns1.bar.foo.example.com. 86400    IN    A    127.0.0.1

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 10 17:24:25 2010
;; MSG SIZE  rcvd: 167

v2.23.0 | Report a Bug | By Email