Re: [DNSOP] CNAME chain length limits
dagon <dagon@sudo.sh> Thu, 28 May 2020 02:44 UTC
Return-Path: <dagon@sudo.sh>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EEA3A0B27 for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 19:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7EXPJBB9SNy for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 19:44:12 -0700 (PDT)
Received: from sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id DAAB03A0B22 for <dnsop@ietf.org>; Wed, 27 May 2020 19:44:12 -0700 (PDT)
Received: by sudo.sh (Postfix, from userid 1000) id AABE4260251; Thu, 28 May 2020 02:44:10 +0000 (UTC)
Date: Thu, 28 May 2020 02:44:10 +0000
From: dagon <dagon@sudo.sh>
To: Tony Finch <dot@dotat.at>
Cc: Evan Hunt <each@isc.org>, dnsop@ietf.org, John R Levine <johnl@taugh.com>
Message-ID: <20200528024410.GA7675@sudo.sh>
References: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy> <20200527180846.GA51895@isc.org> <20200527200614.GC3582@sudo.sh> <alpine.DEB.2.20.2005280101240.18104@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.2005280101240.18104@grey.csi.cam.ac.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g5XUu6WFo-v_i5smMSiYz-4m_SE>
Subject: Re: [DNSOP] CNAME chain length limits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 02:44:21 -0000
On Thu, May 28, 2020 at 01:02:47AM +0100, Tony Finch wrote: > dagon <dagon@sudo.sh> wrote: > > > > -- Tests for ("improper") horizontal vs. vertical CNAMEs. Some > > recursive speakers fail; some complain ("BAD (HORIZONTAL) > > REFERRAL", but answer), and some follow without complaint. > > Can you explain what these are, please? If a canonical answer points to the same level as the 'owner name', then the left and right sides share NS. (This is the most common case, and even outlined in 1034.) If this discovery occurs during a CNAME chain chase with yet another empty answer, the NS is in a sense making a referral to itself, or its pool of secondary NS serving the same delegation cut level---the bad horizontal referral. 1034 merely says resolution should be robust, and that "CNAME chains should be followed and CNAME loops signalled as an error", s.3.6.2. But that doesn't mean resolvers have to put up with this behavior quietly. Dig issues warnings in such cases; see followup_lookup() in dighost.c: if (namereln == dns_namereln_equal) { if (!horizontal) printf(";; BAD (HORIZONTAL) REFERRAL\n"); horizontal = true; Tools that warn about this seem to take the larger view that such referrals should be directed maybe to a new sibling tree (e.g., something in example.org CNAME'd to some place in example.com) or further downward (implying there's a zone cut, but that aspect is not enforced or audited by dig.) There's sense in this: during the second empty answer in CNAME to a mere sibling label, the recursive is *already* talking to the right authority, dammit, and frankly it's inability to sort the zone into a non-chained state is an unhelpful referral. (It may also symptomatic of a zone configuration error--- implicit $ORIGINs and inconsistent fqdns, and such---which is probably why dig included this warning.) You can actually experience something like horizontal referrals in some US airport security screenings, which segregate passenger lines based on ticket classes. If you have a higher ranked ticket, but stand in the *longer* lower ranked line to chat with your friend, you might be referred back to the end of the higher ranked ticket line, just to arrive again at the very same screening point---a bad horizontal referral in most people's view. I never encountered this in European airports, and so it is very fitting that ldns tools and kdig don't check horizontal referrals like dig. By this analogy, DNS resolvers have a choice in chained horizontal follows: quietly continue the journey, continue on but argue to anyone logging complaints (dig), or just abruptly cancel the flight (SERVFAIL). It would be useful to have a survey of all such behaviors for various appliances and tools on the Internet, since this sometimes leads to zones being unavailable. You can find a few anecdotes in the BIND support lists. -- David Dagon dagon@sudo.sh D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717
- [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Evan Hunt
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Paul Vixie
- Re: [DNSOP] CNAME chain length limits Tony Finch
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Mark Andrews
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon