IETF Logo Mail Archive

Re: [DNSOP] RFC2317 Question: Resolving cname delegation

Grant Taylor <gtaylor@tnetconsulting.net> Sat, 26 August 2017 20:01 UTC

Return-Path: <gtaylor@tnetconsulting.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57F20132BF0 for <dnsop@ietfa.amsl.com>; Sat, 26 Aug 2017 13:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_TRY_3LD=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tnetconsulting.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sIUIpyDAK-qc for <dnsop@ietfa.amsl.com>; Sat, 26 Aug 2017 13:01:21 -0700 (PDT)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00::f03c:91ff:fe26:8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80A7613293B for <dnsop@ietf.org>; Sat, 26 Aug 2017 13:01:21 -0700 (PDT)
Received: from [198.18.18.251] ([8.44.145.194]) (authenticated bits=0) by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id v7QK1LR5028214 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <dnsop@ietf.org>; Sat, 26 Aug 2017 15:01:23 -0500
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at tncsrv06
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1503777683; bh=4mYZUBMMaM/6jrbCrxLTXGev9PTXhlpPLcJlfG9AHQg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=F/6IR+HsgxZOYdOS07gGQW4IAn6ANJ59EIovei3iA9MpOskKMuLF0dm1X4g2zNxZE 7hMJFAdfM52Qb4+02bCC8QpOcVOj8iDjCdl+lF4yHApTfHX0HnrJQRjUEAr9bzBjGM vEvozd8+CqkBgv8FOeB1i5wjetyunBkezWy+a7AQ=
To: dnsop@ietf.org
References: <599EF4F2.6070509@isdg.net> <79b5be5d-1cb0-44ac-a2c8-ebacf7ac2960@tnetconsulting.net> <59A1BC8A.3050204@isdg.net>
From: Grant Taylor <gtaylor@tnetconsulting.net>
Message-ID: <fc56df7d-31b1-104a-e8fb-830326a93119@tnetconsulting.net>
Date: Sat, 26 Aug 2017 14:01:28 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <59A1BC8A.3050204@isdg.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020108050409010903060200"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/15byq7h5dtbmwzMssczX67Rr4wY>
Subject: Re: [DNSOP] RFC2317 Question: Resolving cname delegation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2017 20:01:23 -0000

On 08/26/2017 12:23 PM, Hector Santos wrote:
> This was done, at least the first part of providing the ISP the two NS
> servers required.  They used RFC2317 to setup the cname delegation. On
> my servers, I had done what you suggestion with the second method using
> a parent c.b.a.in-addr.arpa zone.   It all seems to work, except for the
> unexpected cname+ptr records with non-authoritive results.

If CNAME is still involved, you didn't do what I'm recommending.

Suppose that this is the ISP's reverse DNS zone:


$ORIGIN .
$TTL 3600
2.0.192.in-addr.arpa	IN	SOA	ispdnsserver.example.com.
hostmaster.example.com. (
					1234567890	; serial
					3600		; refresh
					1800		; retry
					604800		; expire
					)
			IN	NS	ispdnsserver.example.com.
$GENERATE 1-122 $ PTR somehost.example.com.
123			IN	NS	mydnsserver.example.net.
$GENERATE 124-255 $ PTR somehost.example.com.


This would be your reverse DNS zone:


$ORIGIN .
$TTL 3600
2.0.192.in-addr.arpa	IN	SOA	mydnsserver.example.net.
hostmaster.example.com. (
					1234567890	; serial
					3600		; refresh
					1800		; retry
					604800		; expire
					)
			IN	NS	mydnsserver.example.net.
$GENERATE 1-122 $ NS ispdnsserver.example.com.
123			IN	PTR	myserver.example.net
$GENERATE 124-255 $ NS ispdnsserver.example.com.


Notice how the ISP is using an NS record instead of a PTR or a CNAME record.

The ISP is quite literally delegating DNS responsibility to you, the
exact same way that the upstream parent, 0.192.in-addr.arpa., delegated
2.0.192.in-addr.arpa. to the ISP.

That is the catch.  You are re-using THE EXACT SAME METHOD that is
already used, NS delegation.

Do NOT use CNAMEs in the parent zone.

> Still studying the impact.  I was trying to prevent some consistency in
> the results in the resolver.  In the same way, that its done for
> A->CNAME->A results.

CNAMEs in reverse DNS have been problematic for me.  (See previous email.)

> Thanks

You're welcome.



-- 
Grant. . . .
unix || die

v2.14.0 | Report a Bug | By Email