IETF Logo Mail Archive

Re: [DNSOP] RFC2317 Question: Resolving cname delegation

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Thu, 24 August 2017 16:06 UTC

Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD431320BD for <dnsop@ietfa.amsl.com>; Thu, 24 Aug 2017 09:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5tAQ_psWJgo for <dnsop@ietfa.amsl.com>; Thu, 24 Aug 2017 09:06:26 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6163C1201F8 for <dnsop@ietf.org>; Thu, 24 Aug 2017 09:06:26 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:c478:5fff:feb6:ca15] (unknown [IPv6:2001:1488:fffe:6:c478:5fff:feb6:ca15]) by mail.nic.cz (Postfix) with ESMTPSA id 8AB5F608A1 for <dnsop@ietf.org>; Thu, 24 Aug 2017 18:06:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1503590784; bh=sezo7eiPKchD16RSaEbjOvMNzFaISybYTWnfYFsmaAA=; h=To:From:Date; b=prX4D3zAZZ1p1/HeWs53nXctufkCDS5xepkdQeFqa9fvp36uhmFGt2HHSxao0lv73 ULWCI1IxhTKfu95F9x696Qib5eccyvAiw2BiWOJW5IIlKp+uAJVHDJYsVbXqDwekqH 7bOD7GbsNpH9ys4ucPVn8hT18sBLqjTsDn5q4mJA=
To: dnsop@ietf.org
References: <599EF4F2.6070509@isdg.net>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Message-ID: <3d0a3708-f5ed-151e-816f-c88662400d8b@nic.cz>
Date: Thu, 24 Aug 2017 18:06:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <599EF4F2.6070509@isdg.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VK7-TDfy594tNF6UYxWzWFeaZTE>
Subject: Re: [DNSOP] RFC2317 Question: Resolving cname delegation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 16:06:28 -0000

Hello.

On 08/24/2017 05:46 PM, Hector Santos wrote:
> [...] Not expecting this in my DNS resolver code, I modified the
> resolver to take the CNAMEs into account and return the host names
> instead.  Was this the correct thing to do, thus providing the same
> results regardless of the query location? [...]

I can't see any hint in RFC2317 that resolvers should/could change the
data they obtain from upstream, even if just "expand CNAMEs" (and it's
only BCP RFC anyway).  In particular, if the particular zone is covered
by DNSSEC, you may trigger validation errors by that.

--Vladimir

v2.14.0 | Report a Bug | By Email