IETF Logo Mail Archive

Re: [DNSOP] CNAME chain length limits

dagon <dagon@sudo.sh> Thu, 28 May 2020 02:44 UTC

Return-Path: <dagon@sudo.sh>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EEA3A0B27 for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 19:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7EXPJBB9SNy for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 19:44:12 -0700 (PDT)
Received: from sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id DAAB03A0B22 for <dnsop@ietf.org>; Wed, 27 May 2020 19:44:12 -0700 (PDT)
Received: by sudo.sh (Postfix, from userid 1000) id AABE4260251; Thu, 28 May 2020 02:44:10 +0000 (UTC)
Date: Thu, 28 May 2020 02:44:10 +0000
From: dagon <dagon@sudo.sh>
To: Tony Finch <dot@dotat.at>
Cc: Evan Hunt <each@isc.org>, dnsop@ietf.org, John R Levine <johnl@taugh.com>
Message-ID: <20200528024410.GA7675@sudo.sh>
References: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy> <20200527180846.GA51895@isc.org> <20200527200614.GC3582@sudo.sh> <alpine.DEB.2.20.2005280101240.18104@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.2005280101240.18104@grey.csi.cam.ac.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g5XUu6WFo-v_i5smMSiYz-4m_SE>
Subject: Re: [DNSOP] CNAME chain length limits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 02:44:21 -0000

On Thu, May 28, 2020 at 01:02:47AM +0100, Tony Finch wrote:
> dagon <dagon@sudo.sh> wrote:
> >
> >   -- Tests for ("improper") horizontal vs. vertical CNAMEs.  Some
> >      recursive speakers fail; some complain ("BAD (HORIZONTAL)
> >      REFERRAL", but answer), and some follow without complaint.
> 
> Can you explain what these are, please?

If a canonical answer points to the same level as the 'owner name',
then the left and right sides share NS.  (This is the most common
case, and even outlined in 1034.)  If this discovery occurs during a
CNAME chain chase with yet another empty answer, the NS is in a sense
making a referral to itself, or its pool of secondary NS serving the
same delegation cut level---the bad horizontal referral.

1034 merely says resolution should be robust, and that "CNAME chains
should be followed and CNAME loops signalled as an error", s.3.6.2.
But that doesn't mean resolvers have to put up with this behavior
quietly.  Dig issues warnings in such cases; see followup_lookup() in
dighost.c:

   if (namereln == dns_namereln_equal) {
      if (!horizontal)
         printf(";; BAD (HORIZONTAL) REFERRAL\n");
      horizontal = true;

Tools that warn about this seem to take the larger view that such
referrals should be directed maybe to a new sibling tree (e.g.,
something in example.org CNAME'd to some place in example.com) or
further downward (implying there's a zone cut, but that aspect is not
enforced or audited by dig.)  There's sense in this: during the second
empty answer in CNAME to a mere sibling label, the recursive is
*already* talking to the right authority, dammit, and frankly it's
inability to sort the zone into a non-chained state is an unhelpful
referral.  (It may also symptomatic of a zone configuration error---
implicit $ORIGINs and inconsistent fqdns, and such---which is probably
why dig included this warning.)

You can actually experience something like horizontal referrals in
some US airport security screenings, which segregate passenger lines
based on ticket classes.  If you have a higher ranked ticket, but
stand in the *longer* lower ranked line to chat with your friend, you
might be referred back to the end of the higher ranked ticket line,
just to arrive again at the very same screening point---a bad
horizontal referral in most people's view.  I never encountered this
in European airports, and so it is very fitting that ldns tools and
kdig don't check horizontal referrals like dig.

By this analogy, DNS resolvers have a choice in chained horizontal
follows: quietly continue the journey, continue on but argue to anyone
logging complaints (dig), or just abruptly cancel the flight
(SERVFAIL).

It would be useful to have a survey of all such behaviors for various
appliances and tools on the Internet, since this sometimes leads to
zones being unavailable.  You can find a few anecdotes in the BIND
support lists.
 
-- 
David Dagon
dagon@sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717

v2.23.0 | Report a Bug | By Email