Re: [DNSOP] Where in a CNAME chain is the QNAME?

Robert Edmonds <edmonds@mycre.ws> Tue, 20 September 2016 16:37 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B9E12B3EE for <dnsop@ietfa.amsl.com>; Tue, 20 Sep 2016 09:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.218
X-Spam-Level:
X-Spam-Status: No, score=-4.218 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sl5baOGULHqZ for <dnsop@ietfa.amsl.com>; Tue, 20 Sep 2016 09:37:54 -0700 (PDT)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0406B12B0E9 for <dnsop@ietf.org>; Tue, 20 Sep 2016 09:37:54 -0700 (PDT)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 596A612C10B2; Tue, 20 Sep 2016 12:37:53 -0400 (EDT)
Date: Tue, 20 Sep 2016 12:37:53 -0400
From: Robert Edmonds <edmonds@mycre.ws>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Message-ID: <20160920163753.5k4h4cvrtdkt4pjh@mycre.ws>
References: <20160920161350.GA3288@laperouse.bortzmeyer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20160920161350.GA3288@laperouse.bortzmeyer.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lXIX0Fuv0XlThRcJ9cLpcnP1lys>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Where in a CNAME chain is the QNAME?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 16:37:56 -0000

Stephane Bortzmeyer wrote:
> Do you like long terminology discussions, backed by a dozen RFC, where
> people disagree on what's written in these RFC? If so, read on.

Yes, please!

> RFC 1034 had a different definition of QNAME but is not clear on the
> specific case of CNAME chains:
> 
> > A standard query specifies a target domain name (QNAME)

RFC 1034 gives an "algorithm" (§4.3.2):

    […] Search the available zones for the zone which is the nearest
    ancestor to QNAME. […]

        […] If the whole of QNAME is matched, we have found the node.

            If the data at the node is a CNAME, and QTYPE doesn't match
            CNAME, copy the CNAME RR into the answer section of the
            response, change QNAME to the canonical name in the CNAME
            RR, and go back to step 1.

            […]

It seems the use of QNAME for anything other than the question resource
record name is due to this "variable reuse" in the §4.3.2 "algorithm".

RFC 1035 gives a definition of QNAME in §4.1.

    All communications inside of the domain protocol are carried in a
    single format called a message. […]

    The names of the sections after the header are derived from their
    use in standard queries.  The question section contains fields that
    describe a question to a name server.  These fields are a query type
    (QTYPE), a query class (QCLASS), and a query domain name (QNAME).
    […]

So, this implies that QNAME means the same thing regardless of whether
the message is a query or response.

Also see §4.1.2 which is even more graphic about where the QNAME is.

> So, which is right? In this DNS query:
> 
> % dig A www.afnic.fr
> 
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> A www.afnic.fr
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35551
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1280
> ;; QUESTION SECTION:
> ;www.afnic.fr.		IN A
> 
> ;; ANSWER SECTION:
> www.afnic.fr.		213 IN CNAME www.nic.fr.
> www.nic.fr.		213 IN CNAME lb01-1.nic.fr.
> lb01-1.nic.fr.		213 IN A 192.134.5.24
> 
> ;; Query time: 875 msec
> ;; SERVER: 192.168.43.1#53(192.168.43.1)
> ;; WHEN: Tue Sep 20 18:11:06 CEST 2016
> ;; MSG SIZE  rcvd: 100
> 
> Is the QNAME "www.afnic.fr" or "lb01-1.nic.fr" ("the data field of the
> last CNAME")???

"www.afnic.fr", because that is the domain name in the question section.

-- 
Robert Edmonds