Re: [dnsext] DNAME with exceptions - work-around found
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Sat, 11 September 2010 08:41 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 403463A6851; Sat, 11 Sep 2010 01:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.566
X-Spam-Level:
X-Spam-Status: No, score=0.566 tagged_above=-999 required=5 tests=[AWL=-0.020, BAYES_05=-1.11, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_33=0.6, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X9aIkKVqNLtU; Sat, 11 Sep 2010 01:41:50 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4F2593A63C9; Sat, 11 Sep 2010 01:41:48 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OuLXq-000AR3-SE for namedroppers-data0@psg.com; Sat, 11 Sep 2010 08:34:46 +0000
Received: from rotring.dds.nl ([85.17.178.138]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1OuLXm-000AQS-N1 for namedroppers@ops.ietf.org; Sat, 11 Sep 2010 08:34:43 +0000
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id B88CE580EC; Sat, 11 Sep 2010 10:34:38 +0200 (CEST)
Received: from vylkir.localdomain (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id 177DF57F0B; Sat, 11 Sep 2010 10:34:23 +0200 (CEST)
Message-ID: <4C8B3F0E.8050806@nlnetlabs.nl>
Date: Sat, 11 Sep 2010 10:34:22 +0200
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100806 Fedora/3.1.2-1.fc13 Lightning/1.0b2pre Thunderbird/3.1.2
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] DNAME with exceptions - work-around found
References: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com>
In-Reply-To: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96.1 at rotring
X-Virus-Status: Clean
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Brian,
That is one dirty trick, and it may even work with NSD :-) . However,
it fails with caches. If a cache finds a DNAME record in the cache it
is allowed to synthesize a CNAME by itself. And having seen foo DNAME
bar, it will no longer send queries for bar.foo to the foo server.
(it may be wise to only do this for DNSSEC validated DNAMEs, but that is
besides the point for aliasing).
Thus this may seem to work if you dig the authority server, but the
resolvers won't. Also some authority implementations may refuse to load
the DNAME zone with a delegation below the DNAME - even bind will (IMHO
- - I am not afiliated with ISC) treat this as obscured information and
will not serve the DS record for the lower zone, or properly deny such a
DS, making the bar.foo zone DNSSEC bogus.
Best regards,
Wouter
On 09/10/2010 10:34 PM, Brian Dickson wrote:
> I've been giving more thought to the issue of DNAME vs "exceptions", and
> checked both RFC 2672, and the current draft 2672-bis.
>
> The following is *technically* allowed, and *definitely* evil.
>
> But, at least in the current latest bind implementation I've checked
> (bind 9.7.1-P2), it actually works, with no modifications to the
> protocol or the code.
>
> Which means, if folks agree that this is a reasonable hack to allow use
> of, it may be possible to implement all the desired features and
> functions for "the same" using just a slightly-modified SHADOW.
> (And suitable additional discussion in 2672-bis, for which if needed I
> am willing to supply text.)
>
> Here's the trick - on the authority server, serve up more-specific
> zone(s) as needed, whose owner would have been a descendant of one of
> the DNAMEs used to make things "the same".
>
> Being "deeper" in the tree, it is found first. And not being in the same
> zone, it is technically allowed, although strongly discouraged (SHOULD
> NOT is the language in -bis).
>
>
> So, the modifications to SHADOW would be:
> Place exceptions in per-SHADOW-zone more-specific zones (generating the
> zone files and conf files as needed)
> Normal SHADOW zones consist of apex copies of Amber apex, plus DNAME of
> Amber zone (per the previous suggestion, was it Olaf?)
> (Delegations to signed SHADOW zones might not handle "exceptions"
> properly, or at all, or some additional fix-ups may make them possible.)
>
> Brian
>
>
> Here's an example of it in use (apologies for the bind-specific bits):
>
> /etc/named.conf (relevant bits anyway):
>
> zone "foo.example.com <http://foo.example.com>" IN {
> type master;
> file "foo.example.zone";
> allow-update { none; };
> };
>
> zone "bar.example.com <http://bar.example.com>" IN {
> type master;
> file "bar.example.zone";
> allow-update { none; };
> };
>
> zone "bar.foo.example.com <http://bar.foo.example.com>" IN {
> type master;
> file "bar.foo.example.zone";
> allow-update { none; };
> };
>
>
> file bar.example.zone:
>
> $TTL 86400
> $ORIGIN bar.example.com <http://bar.example.com>.
> @ 1D IN SOA @ root (
> 42 ; serial (d. adams)
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
>
> 1D IN NS ns1.bar.example.com <http://ns1.bar.example.com>.
> ns1.bar.example.com <http://ns1.bar.example.com>. 1D IN A
> 127.0.0.1 ;glue record
> foo 1D IN TXT "foo.bar.example.com
> <http://foo.bar.example.com> is what is in the zone. Where did you find
> this record?"
> bar 1D IN TXT "bar.bar.example.com
> <http://bar.bar.example.com> is what is in the zone. Where did you find
> this record?"
> foo.bar 1D IN TXT "foo.bar.bar.example.com
> <http://foo.bar.bar.example.com> is what is in the zone. Where did you
> find this record?"
>
>
> file bar.foo.example.zone:
>
> $TTL 86400
> $ORIGIN bar.foo.example.com <http://bar.foo.example.com>.
> @ 1D IN SOA @ root (
> 42 ; serial (d. adams)
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
>
> 1D IN NS ns1.bar.foo.example.com
> <http://ns1.bar.foo.example.com>.
> ns1.bar.foo.example.com <http://ns1.bar.foo.example.com>. 1D IN A
> 127.0.0.1 ;glue record
> foo 1D IN TXT "foo.bar.foo.example.com
> <http://foo.bar.foo.example.com> is what is in the zone. Where did you
> find this record?"
>
>
> file foo.example.zone:
>
> $TTL 86400
> $ORIGIN foo.example.com <http://foo.example.com>.
> @ 1D IN SOA @ root (
> 42 ; serial (d. adams)
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
>
> 1D IN NS ns1.foo.example.com <http://ns1.foo.example.com>.
> 1D IN DNAME bar.example.com <http://bar.example.com>.
> ns1.foo.example.com <http://ns1.foo.example.com>. 1D IN A
> 127.0.0.1 ;glue record
> foo 1D IN TXT "foo.foo.example.com
> <http://foo.foo.example.com> is what is in the zone. Where did you find
> this record?"
> bar 1D IN TXT "bar.foo.example.com
> <http://bar.foo.example.com> is what is in the zone. Where did you find
> this record?"
> foo.bar 1D IN TXT "foo.bar.foo.example.com
> <http://foo.bar.foo.example.com> is what is in the zone. Where did you
> find this record?"
> ; NB - the above are, if present, occluded by the DNAME.
>
>
> And the results:
>
> bash-3.2# dig @127.0.0.1 <http://127.0.0.1> TXT foo.foo.example.com
> <http://foo.foo.example.com>
>
> ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 <http://127.0.0.1> TXT
> foo.foo.example.com <http://foo.foo.example.com>
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64694
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;foo.foo.example.com <http://foo.foo.example.com>. IN TXT
>
> ;; ANSWER SECTION:
> foo.example.com <http://foo.example.com>. 86400 IN DNAME
> bar.example.com <http://bar.example.com>.
> foo.foo.example.com <http://foo.foo.example.com>. 0 IN CNAME
> foo.bar.example.com <http://foo.bar.example.com>.
> foo.bar.example.com <http://foo.bar.example.com>. 86400 IN
> TXT "foo.bar.example.com <http://foo.bar.example.com> is what is in
> the zone. Where did you find this record?"
>
> ;; AUTHORITY SECTION:
> bar.example.com <http://bar.example.com>. 86400 IN NS
> ns1.bar.example.com <http://ns1.bar.example.com>.
>
> ;; ADDITIONAL SECTION:
> ns1.bar.example.com <http://ns1.bar.example.com>. 86400 IN A
> 127.0.0.1
>
> ;; Query time: 13 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 10 17:24:05 2010
> ;; MSG SIZE rcvd: 206
>
> bash-3.2# dig @127.0.0.1 <http://127.0.0.1> TXT foo.bar.example.com
> <http://foo.bar.example.com>
>
> ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 <http://127.0.0.1> TXT
> foo.bar.example.com <http://foo.bar.example.com>
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38887
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;foo.bar.example.com <http://foo.bar.example.com>. IN TXT
>
> ;; ANSWER SECTION:
> foo.bar.example.com <http://foo.bar.example.com>. 86400 IN
> TXT "foo.bar.example.com <http://foo.bar.example.com> is what is in
> the zone. Where did you find this record?"
>
> ;; AUTHORITY SECTION:
> bar.example.com <http://bar.example.com>. 86400 IN NS
> ns1.bar.example.com <http://ns1.bar.example.com>.
>
> ;; ADDITIONAL SECTION:
> ns1.bar.example.com <http://ns1.bar.example.com>. 86400 IN A
> 127.0.0.1
>
> ;; Query time: 11 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 10 17:24:18 2010
> ;; MSG SIZE rcvd: 159
>
> bash-3.2# dig @127.0.0.1 <http://127.0.0.1> TXT foo.bar.foo.example.com
> <http://foo.bar.foo.example.com>
>
> ; <<>> DiG 9.4.3-P3 <<>> @127.0.0.1 <http://127.0.0.1> TXT
> foo.bar.foo.example.com <http://foo.bar.foo.example.com>
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36569
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;foo.bar.foo.example.com <http://foo.bar.foo.example.com>. IN TXT
>
> ;; ANSWER SECTION:
> foo.bar.foo.example.com <http://foo.bar.foo.example.com>. 86400 IN
> TXT "foo.bar.foo.example.com <http://foo.bar.foo.example.com> is what
> is in the zone. Where did you find this record?"
>
> ;; AUTHORITY SECTION:
> bar.foo.example.com <http://bar.foo.example.com>. 86400 IN
> NS ns1.bar.foo.example.com <http://ns1.bar.foo.example.com>.
>
> ;; ADDITIONAL SECTION:
> ns1.bar.foo.example.com <http://ns1.bar.foo.example.com>. 86400 IN
> A 127.0.0.1
>
> ;; Query time: 7 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 10 17:24:25 2010
> ;; MSG SIZE rcvd: 167
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyLPw4ACgkQkDLqNwOhpPiH3ACgmZwdL5bnX1HzOevm3uAPNLn3
CKcAoIwV5EoZcwQhgmAqNGDSJquXcjAt
=9818
-----END PGP SIGNATURE-----
- [dnsext] DNAME with exceptions - work-around found Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Niall O'Reilly
- Re: [dnsext] DNAME with exceptions - work-around … Andrew Sullivan
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson