IETF Logo Mail Archive

Re: [DNSOP] CNAME chain length limits

John R Levine <johnl@taugh.com> Wed, 27 May 2020 19:23 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C0AE3A0A03 for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=bER5pJtk; dkim=pass (1536-bit key) header.d=taugh.com header.b=LgK0cVoA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h38cKNEPuWWr for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:23:42 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CC9F3A0A29 for <dnsop@ietf.org>; Wed, 27 May 2020 12:23:42 -0700 (PDT)
Received: (qmail 19419 invoked from network); 27 May 2020 19:23:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=4bd9.5ecebe3c.k2005; i=johnl-iecc.com@submit.iecc.com; bh=tKDsj/lJ1jOgG6+p5sASHK8qV3cN628vraVehu/+5vE=; b=bER5pJtk9zx3xWM4FZej9Ssgr828nziVL2kHJ4mXe/UbXEGbXjeUv5kaapQSbZmy93HnFeVbE3AT2nGESQqKFzpRK5IFDZW0ArXP2F/bJcXo51lzbsza7VZOPDTjUruXpTIE9JYuccu+4FdSRhJikiNYw/pQkoMnhrWmvJVlChtu+hJW6DF7/cSyButWNyV6VJVQcm7wsiwUQsO5C6EWpwPljd5erMuVPgwXCFwvmfKd0qu45KQZ4wyqy2WXKlA3
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=4bd9.5ecebe3c.k2005; olt=johnl-iecc.com@submit.iecc.com; bh=tKDsj/lJ1jOgG6+p5sASHK8qV3cN628vraVehu/+5vE=; b=LgK0cVoAq/V1tRUX4DHpYUyUFnFIZtFqXMu2POmyK2EP+QH3H9pFVCUD8pAER0A0xeg27eB8GPvP1ECEaCfPWUJMu5YHii9//1wfAie/Soy2zqG94TShWb7E7WGO2YInT2ZOoVx9KQ55nfPdgnjAbsDfcM+ZvQeqWYMNeWTpzoAu5SvEZm46JUH43YyAySSjKYPVtCvcAOc0oe+FSKpMudxk9oV4EZ6j0bpkt8b5CeUKgGN1lKYISOkcSKo9aVTX
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 27 May 2020 19:23:39 -0000
Date: Wed, 27 May 2020 15:23:39 -0400
Message-ID: <alpine.OSX.2.22.407.2005271523120.35864@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Eric Orth <ericorth@google.com>
Cc: dnsop <dnsop@ietf.org>
In-Reply-To: <CAMOjQcGdk01vLi2ZFWXipDcp-hksgpUQKpxvjNdg4c32gcR6-Q@mail.gmail.com>
References: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy> <CAMOjQcFY4CpM_a7Q=KZ7UTuPW4SdRX1CNcSbviw0FSfDSt6_hA@mail.gmail.com> <CAMOjQcGdk01vLi2ZFWXipDcp-hksgpUQKpxvjNdg4c32gcR6-Q@mail.gmail.com>
User-Agent: Alpine 2.22 (OSX 407 2020-02-09)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-2014908202-1590607419=:35864"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pht0ZNG9yOjBvYVoE7zglIyLhmk>
Subject: Re: [DNSOP] CNAME chain length limits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 19:23:46 -0000

> I should also note though that Chrome's built-in stub won't do any followup
> queries if the full chain is not in the response from the recursive.

Interesting point -- if the result is truncated will it requery with TCP?

>
> On Wed, May 27, 2020 at 3:03 PM Eric Orth <ericorth@google.com> wrote:
>
>>
>>
>> On Wed, May 27, 2020 at 1:49 PM John R Levine <johnl@taugh.com> wrote:
>>
>>> While I should have been doing something else, I made a rather long CNAME
>>> chain.  When I looked up chain.examp1e.com it got SERVFAIL, but after I
>>> warmed up my cache five links at a time by looking for chain5, chain10,
>>> chain15, and so forth, it worked.  At least it worked in "dig" and
>>> "host".
>>> When I try and look up http://chain.examp1e.com, Chrome waits a while
>>> and says not found,
>>
>>
>> If Chrome is using its built-in stub, there's not expected to be a limit
>> (other than the overall message size limits), but nothing tests chains this
>> long other than security fuzzers that are only looking for crashes or
>> memory issues.
>>
>>
>>> Firefox waits a while and says "Hmm. We’re having
>>> trouble finding that site." and Safari on my Mac hangs.  (Feel free to
>>> try
>>> it yourself.)
>>>
>>> I realize the answer to most questions like this can be summarized as
>>> "don't do that", but is there any consensus as to the maximum CNAME chain
>>> length that works reliably, and what happens if the chain is too long?
>>> Hanging seems sub-optimal.
>>>
>>> Regards,
>>> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
>>> Please consider the environment before reading this e-mail. https://jl.ly
>>>
>>> $ dig chain.examp1e.com A
>>> ;; Truncated, retrying in TCP mode.
>>>
>>> ; <<>> DiG 9.10.6 <<>> chain.examp1e.com a
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59001
>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 102, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;chain.examp1e.com.             IN      A
>>>
>>> ;; ANSWER SECTION:
>>> chain.examp1e.com.      3371    IN      CNAME   chain100.examp1e.com.
>>> chain100.examp1e.com.   3371    IN      CNAME   chain99.examp1e.com.
>>> chain99.examp1e.com.    3371    IN      CNAME   chain98.examp1e.com.
>>> chain98.examp1e.com.    3371    IN      CNAME   chain97.examp1e.com.
>>> chain97.examp1e.com.    3371    IN      CNAME   chain96.examp1e.com.
>>> chain96.examp1e.com.    3372    IN      CNAME   chain95.examp1e.com.
>>> chain95.examp1e.com.    3372    IN      CNAME   chain94.examp1e.com.
>>> chain94.examp1e.com.    3372    IN      CNAME   chain93.examp1e.com.
>>> chain93.examp1e.com.    3372    IN      CNAME   chain92.examp1e.com.
>>> chain92.examp1e.com.    3589    IN      CNAME   chain91.examp1e.com.
>>> chain91.examp1e.com.    3589    IN      CNAME   chain90.examp1e.com.
>>> chain90.examp1e.com.    3583    IN      CNAME   chain89.examp1e.com.
>>> chain89.examp1e.com.    3583    IN      CNAME   chain88.examp1e.com.
>>> chain88.examp1e.com.    3583    IN      CNAME   chain87.examp1e.com.
>>> chain87.examp1e.com.    3583    IN      CNAME   chain86.examp1e.com.
>>> chain86.examp1e.com.    3583    IN      CNAME   chain85.examp1e.com.
>>> chain85.examp1e.com.    3577    IN      CNAME   chain84.examp1e.com.
>>> chain84.examp1e.com.    3578    IN      CNAME   chain83.examp1e.com.
>>> chain83.examp1e.com.    3578    IN      CNAME   chain82.examp1e.com.
>>> chain82.examp1e.com.    3578    IN      CNAME   chain81.examp1e.com.
>>> chain81.examp1e.com.    3579    IN      CNAME   chain80.examp1e.com.
>>> chain80.examp1e.com.    3570    IN      CNAME   chain79.examp1e.com.
>>> chain79.examp1e.com.    3571    IN      CNAME   chain78.examp1e.com.
>>> chain78.examp1e.com.    3571    IN      CNAME   chain77.examp1e.com.
>>> chain77.examp1e.com.    3571    IN      CNAME   chain76.examp1e.com.
>>> chain76.examp1e.com.    3572    IN      CNAME   chain75.examp1e.com.
>>> chain75.examp1e.com.    3564    IN      CNAME   chain74.examp1e.com.
>>> chain74.examp1e.com.    3564    IN      CNAME   chain73.examp1e.com.
>>> chain73.examp1e.com.    3564    IN      CNAME   chain72.examp1e.com.
>>> chain72.examp1e.com.    3564    IN      CNAME   chain71.examp1e.com.
>>> chain71.examp1e.com.    3564    IN      CNAME   chain70.examp1e.com.
>>> chain70.examp1e.com.    3519    IN      CNAME   chain69.examp1e.com.
>>> chain69.examp1e.com.    3519    IN      CNAME   chain68.examp1e.com.
>>> chain68.examp1e.com.    3519    IN      CNAME   chain67.examp1e.com.
>>> chain67.examp1e.com.    3519    IN      CNAME   chain66.examp1e.com.
>>> chain66.examp1e.com.    3519    IN      CNAME   chain65.examp1e.com.
>>> chain65.examp1e.com.    3519    IN      CNAME   chain64.examp1e.com.
>>> chain64.examp1e.com.    3520    IN      CNAME   chain63.examp1e.com.
>>> chain63.examp1e.com.    3520    IN      CNAME   chain62.examp1e.com.
>>> chain62.examp1e.com.    3520    IN      CNAME   chain61.examp1e.com.
>>> chain61.examp1e.com.    3554    IN      CNAME   chain60.examp1e.com.
>>> chain60.examp1e.com.    3549    IN      CNAME   chain59.examp1e.com.
>>> chain59.examp1e.com.    3549    IN      CNAME   chain58.examp1e.com.
>>> chain58.examp1e.com.    3549    IN      CNAME   chain57.examp1e.com.
>>> chain57.examp1e.com.    3549    IN      CNAME   chain56.examp1e.com.
>>> chain56.examp1e.com.    3549    IN      CNAME   chain55.examp1e.com.
>>> chain55.examp1e.com.    3535    IN      CNAME   chain54.examp1e.com.
>>> chain54.examp1e.com.    3536    IN      CNAME   chain53.examp1e.com.
>>> chain53.examp1e.com.    3536    IN      CNAME   chain52.examp1e.com.
>>> chain52.examp1e.com.    3536    IN      CNAME   chain51.examp1e.com.
>>> chain51.examp1e.com.    3536    IN      CNAME   chain50.examp1e.com.
>>> chain50.examp1e.com.    3536    IN      CNAME   chain49.examp1e.com.
>>> chain49.examp1e.com.    3536    IN      CNAME   chain48.examp1e.com.
>>> chain48.examp1e.com.    3536    IN      CNAME   chain47.examp1e.com.
>>> chain47.examp1e.com.    3536    IN      CNAME   chain46.examp1e.com.
>>> chain46.examp1e.com.    3541    IN      CNAME   chain45.examp1e.com.
>>> chain45.examp1e.com.    3531    IN      CNAME   chain44.examp1e.com.
>>> chain44.examp1e.com.    3531    IN      CNAME   chain43.examp1e.com.
>>> chain43.examp1e.com.    3531    IN      CNAME   chain42.examp1e.com.
>>> chain42.examp1e.com.    3531    IN      CNAME   chain41.examp1e.com.
>>> chain41.examp1e.com.    3531    IN      CNAME   chain40.examp1e.com.
>>> chain40.examp1e.com.    3525    IN      CNAME   chain39.examp1e.com.
>>> chain39.examp1e.com.    3526    IN      CNAME   chain38.examp1e.com.
>>> chain38.examp1e.com.    3526    IN      CNAME   chain37.examp1e.com.
>>> chain37.examp1e.com.    3526    IN      CNAME   chain36.examp1e.com.
>>> chain36.examp1e.com.    3526    IN      CNAME   chain35.examp1e.com.
>>> chain35.examp1e.com.    3513    IN      CNAME   chain34.examp1e.com.
>>> chain34.examp1e.com.    3513    IN      CNAME   chain33.examp1e.com.
>>> chain33.examp1e.com.    3513    IN      CNAME   chain32.examp1e.com.
>>> chain32.examp1e.com.    3513    IN      CNAME   chain31.examp1e.com.
>>> chain31.examp1e.com.    3513    IN      CNAME   chain30.examp1e.com.
>>> chain30.examp1e.com.    3508    IN      CNAME   chain29.examp1e.com.
>>> chain29.examp1e.com.    3508    IN      CNAME   chain28.examp1e.com.
>>> chain28.examp1e.com.    3508    IN      CNAME   chain27.examp1e.com.
>>> chain27.examp1e.com.    3508    IN      CNAME   chain26.examp1e.com.
>>> chain26.examp1e.com.    3508    IN      CNAME   chain25.examp1e.com.
>>> chain25.examp1e.com.    3499    IN      CNAME   chain24.examp1e.com.
>>> chain24.examp1e.com.    3499    IN      CNAME   chain23.examp1e.com.
>>> chain23.examp1e.com.    3500    IN      CNAME   chain22.examp1e.com.
>>> chain22.examp1e.com.    3500    IN      CNAME   chain21.examp1e.com.
>>> chain21.examp1e.com.    3500    IN      CNAME   chain20.examp1e.com.
>>> chain20.examp1e.com.    3447    IN      CNAME   chain19.examp1e.com.
>>> chain19.examp1e.com.    3447    IN      CNAME   chain18.examp1e.com.
>>> chain18.examp1e.com.    3447    IN      CNAME   chain17.examp1e.com.
>>> chain17.examp1e.com.    3448    IN      CNAME   chain16.examp1e.com.
>>> chain16.examp1e.com.    3448    IN      CNAME   chain15.examp1e.com.
>>> chain15.examp1e.com.    3448    IN      CNAME   chain14.examp1e.com.
>>> chain14.examp1e.com.    3448    IN      CNAME   chain13.examp1e.com.
>>> chain13.examp1e.com.    3448    IN      CNAME   chain12.examp1e.com.
>>> chain12.examp1e.com.    3449    IN      CNAME   chain11.examp1e.com.
>>> chain11.examp1e.com.    3486    IN      CNAME   chain10.examp1e.com.
>>> chain10.examp1e.com.    3455    IN      CNAME   chain9.examp1e.com.
>>> chain9.examp1e.com.     3455    IN      CNAME   chain8.examp1e.com.
>>> chain8.examp1e.com.     3455    IN      CNAME   chain7.examp1e.com.
>>> chain7.examp1e.com.     3455    IN      CNAME   chain6.examp1e.com.
>>> chain6.examp1e.com.     3455    IN      CNAME   chain5.examp1e.com.
>>> chain5.examp1e.com.     3455    IN      CNAME   chain4.examp1e.com.
>>> chain4.examp1e.com.     3455    IN      CNAME   chain3.examp1e.com.
>>> chain3.examp1e.com.     3455    IN      CNAME   chain2.examp1e.com.
>>> chain2.examp1e.com.     3455    IN      CNAME   chain1.examp1e.com.
>>> chain1.examp1e.com.     3466    IN      CNAME   chain0.examp1e.com.
>>> chain0.examp1e.com.     3460    IN      A       64.57.183.119
>>>
>>> ;; Query time: 2 msec
>>> ;; SERVER: 192.168.80.2#53(192.168.80.2)
>>> ;; WHEN: Wed May 27 13:31:17 EDT 2020
>>> ;; MSG SIZE  rcvd: 2275
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>>
>

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email