[dnsext] DNAME with exceptions - work-around found
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 10 September 2010 20:39 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDCF93A682A; Fri, 10 Sep 2010 13:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[AWL=1.704, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, NORMAL_HTTP_TO_IP=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM2Vptj2cyDm; Fri, 10 Sep 2010 13:39:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 861C33A6AF2; Fri, 10 Sep 2010 13:39:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OuAIv-0008aw-Jx for namedroppers-data0@psg.com; Fri, 10 Sep 2010 20:34:37 +0000
Received: from mail-fx0-f52.google.com ([209.85.161.52]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <brian.peter.dickson@gmail.com>) id 1OuAIr-0008aX-1h for namedroppers@ops.ietf.org; Fri, 10 Sep 2010 20:34:33 +0000
Received: by fxm13 with SMTP id 13so2349794fxm.11 for <namedroppers@ops.ietf.org>; Fri, 10 Sep 2010 13:34:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=+1Ax8Wy+9YfdhXx4U6Q3TSXCboGM7boWcaZUPKx2zwM=; b=bQIAqew7POwp3AKVfdYsHIXgN+tarl7lPMjE0tu//CYymZoYZAl0vUEnTSMMBX781I E6VJzMS0Ms8r9GkmdAMlENEI539O81tkU9UqsfpVNRT5V8+wbpci9eJqLH1NxO32mj/Q CRb7gB0EEC+bbakoO1146vFaKUEd7YmA0laGo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Tlop8hS1bB4K54N7Q13CTz8rcRmoEYokAN4G0CytzaTcrhwPChavcU57GjcuahBswB xSd/8HQ4zZ7GhtvurovcdtKa9iQqkNxyRjJPm0WcGs4RCQv3AJavn2+6oqiIV7ZX67n/ ChbXcxkSMxEx9Y152XEsDJ0LwQV/LqZeyLE40=
MIME-Version: 1.0
Received: by 10.223.126.67 with SMTP id b3mr843947fas.50.1284150871001; Fri, 10 Sep 2010 13:34:31 -0700 (PDT)
Received: by 10.223.109.13 with HTTP; Fri, 10 Sep 2010 13:34:30 -0700 (PDT)
Date: Fri, 10 Sep 2010 17:34:30 -0300
Message-ID: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com>
Subject: [dnsext] DNAME with exceptions - work-around found
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001636c5a8ad810b4c048fedac74"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
I've been giving more thought to the issue of DNAME vs "exceptions", and checked both RFC 2672, and the current draft 2672-bis. The following is *technically* allowed, and *definitely* evil. But, at least in the current latest bind implementation I've checked (bind 9.7.1-P2), it actually works, with no modifications to the protocol or the code. Which means, if folks agree that this is a reasonable hack to allow use of, it may be possible to implement all the desired features and functions for "the same" using just a slightly-modified SHADOW. (And suitable additional discussion in 2672-bis, for which if needed I am willing to supply text.) Here's the trick - on the authority server, serve up more-specific zone(s) as needed, whose owner would have been a descendant of one of the DNAMEs used to make things "the same". Being "deeper" in the tree, it is found first. And not being in the same zone, it is technically allowed, although strongly discouraged (SHOULD NOT is the language in -bis). So, the modifications to SHADOW would be: Place exceptions in per-SHADOW-zone more-specific zones (generating the zone files and conf files as needed) Normal SHADOW zones consist of apex copies of Amber apex, plus DNAME of Amber zone (per the previous suggestion, was it Olaf?) (Delegations to signed SHADOW zones might not handle "exceptions" properly, or at all, or some additional fix-ups may make them possible.) Brian Here's an example of it in use (apologies for the bind-specific bits): /etc/named.conf (relevant bits anyway): zone "foo.example.com" IN { type master; file "foo.example.zone"; allow-update { none; }; }; zone "bar.example.com" IN { type master; file "bar.example.zone"; allow-update { none; }; }; zone "bar.foo.example.com" IN { type master; file "bar.foo.example.zone"; allow-update { none; }; }; file bar.example.zone: $TTL 86400 $ORIGIN bar.example.com. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns1.bar.example.com. ns1.bar.example.com. 1D IN A 127.0.0.1 ;glue record foo 1D IN TXT "foo.bar.example.com is what is in the zone. Where did you find this record?" bar 1D IN TXT "bar.bar.example.com is what is in the zone. Where did you find this record?" foo.bar 1D IN TXT "foo.bar.bar.example.com is what is in the zone. Where did you find this record?" file bar.foo.example.zone: $TTL 86400 $ORIGIN bar.foo.example.com. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns1.bar.foo.example.com. ns1.bar.foo.example.com. 1D IN A 127.0.0.1 ;glue record foo 1D IN TXT "foo.bar.foo.example.com is what is in the zone. Where did you find this record?" file foo.example.zone: $TTL 86400 $ORIGIN foo.example.com. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns1.foo.example.com. 1D IN DNAME bar.example.com. ns1.foo.example.com. 1D IN A 127.0.0.1 ;glue record foo 1D IN TXT "foo.foo.example.com is what is in the zone. Where did you find this record?" bar 1D IN TXT "bar.foo.example.com is what is in the zone. Where did you find this record?" foo.bar 1D IN TXT "foo.bar.foo.example.com is what is in the zone. Where did you find this record?" ; NB - the above are, if present, occluded by the DNAME. And the results: bash-3.2# dig @127.0.0.1 TXT foo.foo.example.com ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.foo.example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64694 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;foo.foo.example.com. IN TXT ;; ANSWER SECTION: foo.example.com. 86400 IN DNAME bar.example.com. foo.foo.example.com. 0 IN CNAME foo.bar.example.com. foo.bar.example.com. 86400 IN TXT "foo.bar.example.com is what is in the zone. Where did you find this record?" ;; AUTHORITY SECTION: bar.example.com. 86400 IN NS ns1.bar.example.com. ;; ADDITIONAL SECTION: ns1.bar.example.com. 86400 IN A 127.0.0.1 ;; Query time: 13 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Sep 10 17:24:05 2010 ;; MSG SIZE rcvd: 206 bash-3.2# dig @127.0.0.1 TXT foo.bar.example.com ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.bar.example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38887 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;foo.bar.example.com. IN TXT ;; ANSWER SECTION: foo.bar.example.com. 86400 IN TXT "foo.bar.example.com is what is in the zone. Where did you find this record?" ;; AUTHORITY SECTION: bar.example.com. 86400 IN NS ns1.bar.example.com. ;; ADDITIONAL SECTION: ns1.bar.example.com. 86400 IN A 127.0.0.1 ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Sep 10 17:24:18 2010 ;; MSG SIZE rcvd: 159 bash-3.2# dig @127.0.0.1 TXT foo.bar.foo.example.com ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 TXT foo.bar.foo.example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36569 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;foo.bar.foo.example.com. IN TXT ;; ANSWER SECTION: foo.bar.foo.example.com. 86400 IN TXT "foo.bar.foo.example.com is what is in the zone. Where did you find this record?" ;; AUTHORITY SECTION: bar.foo.example.com. 86400 IN NS ns1.bar.foo.example.com. ;; ADDITIONAL SECTION: ns1.bar.foo.example.com. 86400 IN A 127.0.0.1 ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Sep 10 17:24:25 2010 ;; MSG SIZE rcvd: 167
- [dnsext] DNAME with exceptions - work-around found Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Niall O'Reilly
- Re: [dnsext] DNAME with exceptions - work-around … Andrew Sullivan
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson