IETF Logo Mail Archive

Re: [dnsext] SRV and wildcard CNAME

Mark Andrews <marka@isc.org> Mon, 21 February 2011 01:17 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70C5F3A6F76 for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 17:17:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxpthuAO1HO9 for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 17:17:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 6AE223A6CC3 for <dnsext@ietf.org>; Sun, 20 Feb 2011 17:17:05 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 8C08DC9434; Mon, 21 Feb 2011 01:17:35 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 23EA0216C1E; Mon, 21 Feb 2011 01:17:35 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id F0FE0A6B00F; Mon, 21 Feb 2011 12:17:31 +1100 (EST)
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
References: <20110216032120.43474.qmail@joyce.lan> <alpine.LSU.2.00.1102161143180.5244@hermes-1.csi.cam.ac.uk> <20110216212930.57D64A3F344@drugs.dv.isc.org> <4D5D24F3.70206@gis.net> <20110217231720.1FCF3A49096@drugs.dv.isc.org> <4D5E08E4.8060106@necom830.hpcl.titech.ac.jp> <AANLkTikjBvndD91q1jQeU9Q45qZyJbBs8t_wZkFezSfa@mail.gmail.com> <4D61B702.7060902@necom830.hpcl.titech.ac.jp>
In-reply-to: Your message of "Mon, 21 Feb 2011 09:51:14 +0900." <4D61B702.7060902@necom830.hpcl.titech.ac.jp>
Date: Mon, 21 Feb 2011 12:17:31 +1100
Message-Id: <20110221011731.F0FE0A6B00F@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] SRV and wildcard CNAME
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 01:17:06 -0000

In message <4D61B702.7060902@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Phillip Hallam-Baker wrote:
> 
> > It does indeed. And worse, it works for
> > 
> > _null._random.example.com  SRV...
> > 
> > And other non existent protocols.
> 
> Non existent protocols are not a problem, because they just do
> not work, which is fine.
> 
> The problem is that protocols used share a port.
> 
> However, as the only protocol which may be used by *LAZY* users,
> other than http, is https, it may share the same port as http,
> if servers are implemented to distinguish them by the first
> byte of the request.

It breaks *all* protocols that use SRV.  Wildcarding a SRV record
is a bad idea.

> Maybe, some of you are thinking that SRV can't differentiate
> server names of name based virtual hosting.
> 
> But,
> 
>        *.example.com  CNAME com.example.net
> 
>        *.example.org  CNAME org.example.net
> 
> 	com.example.net SRV  0 1 P com.server.example.net
> 	org.example.net SRV  0 1 P org.server.example.net
> 	com.server.example.net CNAME shared.server.example.net
> 	org.server.example.net CNAME shared.server.example.net
> 
> should work, even though it violates SRV specification requiring
> "name MUST NOT be an alias".

The you have a client that tries to use the "foo" protocol which is
SRV aware.  The client asks for _foo._tcp.bar.example.com SRV and
sends up being sent to the http server.

Wildcards match multiple labels.
 
> > There is a way to fix the issue. Instead of resolving in a single step, a
> > two step resolution is performed. The first step being for an unprefixed
> > name. This will result in either 'not found' or a canonical name being
> > returned. The prefix is applied to the canonical name in the second phase.
> 
> Why do we have to fix a non existent issue?
> 
> 						Masataka Ohta
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email