Re: [DNSOP] CNAME chain length limits
John R Levine <johnl@taugh.com> Wed, 27 May 2020 19:23 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C0AE3A0A03 for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=bER5pJtk; dkim=pass (1536-bit key) header.d=taugh.com header.b=LgK0cVoA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h38cKNEPuWWr for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:23:42 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CC9F3A0A29 for <dnsop@ietf.org>; Wed, 27 May 2020 12:23:42 -0700 (PDT)
Received: (qmail 19419 invoked from network); 27 May 2020 19:23:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=4bd9.5ecebe3c.k2005; i=johnl-iecc.com@submit.iecc.com; bh=tKDsj/lJ1jOgG6+p5sASHK8qV3cN628vraVehu/+5vE=; b=bER5pJtk9zx3xWM4FZej9Ssgr828nziVL2kHJ4mXe/UbXEGbXjeUv5kaapQSbZmy93HnFeVbE3AT2nGESQqKFzpRK5IFDZW0ArXP2F/bJcXo51lzbsza7VZOPDTjUruXpTIE9JYuccu+4FdSRhJikiNYw/pQkoMnhrWmvJVlChtu+hJW6DF7/cSyButWNyV6VJVQcm7wsiwUQsO5C6EWpwPljd5erMuVPgwXCFwvmfKd0qu45KQZ4wyqy2WXKlA3
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=4bd9.5ecebe3c.k2005; olt=johnl-iecc.com@submit.iecc.com; bh=tKDsj/lJ1jOgG6+p5sASHK8qV3cN628vraVehu/+5vE=; b=LgK0cVoAq/V1tRUX4DHpYUyUFnFIZtFqXMu2POmyK2EP+QH3H9pFVCUD8pAER0A0xeg27eB8GPvP1ECEaCfPWUJMu5YHii9//1wfAie/Soy2zqG94TShWb7E7WGO2YInT2ZOoVx9KQ55nfPdgnjAbsDfcM+ZvQeqWYMNeWTpzoAu5SvEZm46JUH43YyAySSjKYPVtCvcAOc0oe+FSKpMudxk9oV4EZ6j0bpkt8b5CeUKgGN1lKYISOkcSKo9aVTX
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 27 May 2020 19:23:39 -0000
Date: Wed, 27 May 2020 15:23:39 -0400
Message-ID: <alpine.OSX.2.22.407.2005271523120.35864@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Eric Orth <ericorth@google.com>
Cc: dnsop <dnsop@ietf.org>
In-Reply-To: <CAMOjQcGdk01vLi2ZFWXipDcp-hksgpUQKpxvjNdg4c32gcR6-Q@mail.gmail.com>
References: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy> <CAMOjQcFY4CpM_a7Q=KZ7UTuPW4SdRX1CNcSbviw0FSfDSt6_hA@mail.gmail.com> <CAMOjQcGdk01vLi2ZFWXipDcp-hksgpUQKpxvjNdg4c32gcR6-Q@mail.gmail.com>
User-Agent: Alpine 2.22 (OSX 407 2020-02-09)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-2014908202-1590607419=:35864"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pht0ZNG9yOjBvYVoE7zglIyLhmk>
Subject: Re: [DNSOP] CNAME chain length limits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 19:23:46 -0000
> I should also note though that Chrome's built-in stub won't do any followup > queries if the full chain is not in the response from the recursive. Interesting point -- if the result is truncated will it requery with TCP? > > On Wed, May 27, 2020 at 3:03 PM Eric Orth <ericorth@google.com> wrote: > >> >> >> On Wed, May 27, 2020 at 1:49 PM John R Levine <johnl@taugh.com> wrote: >> >>> While I should have been doing something else, I made a rather long CNAME >>> chain. When I looked up chain.examp1e.com it got SERVFAIL, but after I >>> warmed up my cache five links at a time by looking for chain5, chain10, >>> chain15, and so forth, it worked. At least it worked in "dig" and >>> "host". >>> When I try and look up http://chain.examp1e.com, Chrome waits a while >>> and says not found, >> >> >> If Chrome is using its built-in stub, there's not expected to be a limit >> (other than the overall message size limits), but nothing tests chains this >> long other than security fuzzers that are only looking for crashes or >> memory issues. >> >> >>> Firefox waits a while and says "Hmm. We’re having >>> trouble finding that site." and Safari on my Mac hangs. (Feel free to >>> try >>> it yourself.) >>> >>> I realize the answer to most questions like this can be summarized as >>> "don't do that", but is there any consensus as to the maximum CNAME chain >>> length that works reliably, and what happens if the chain is too long? >>> Hanging seems sub-optimal. >>> >>> Regards, >>> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY >>> Please consider the environment before reading this e-mail. https://jl.ly >>> >>> $ dig chain.examp1e.com A >>> ;; Truncated, retrying in TCP mode. >>> >>> ; <<>> DiG 9.10.6 <<>> chain.examp1e.com a >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59001 >>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 102, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ;; QUESTION SECTION: >>> ;chain.examp1e.com. IN A >>> >>> ;; ANSWER SECTION: >>> chain.examp1e.com. 3371 IN CNAME chain100.examp1e.com. >>> chain100.examp1e.com. 3371 IN CNAME chain99.examp1e.com. >>> chain99.examp1e.com. 3371 IN CNAME chain98.examp1e.com. >>> chain98.examp1e.com. 3371 IN CNAME chain97.examp1e.com. >>> chain97.examp1e.com. 3371 IN CNAME chain96.examp1e.com. >>> chain96.examp1e.com. 3372 IN CNAME chain95.examp1e.com. >>> chain95.examp1e.com. 3372 IN CNAME chain94.examp1e.com. >>> chain94.examp1e.com. 3372 IN CNAME chain93.examp1e.com. >>> chain93.examp1e.com. 3372 IN CNAME chain92.examp1e.com. >>> chain92.examp1e.com. 3589 IN CNAME chain91.examp1e.com. >>> chain91.examp1e.com. 3589 IN CNAME chain90.examp1e.com. >>> chain90.examp1e.com. 3583 IN CNAME chain89.examp1e.com. >>> chain89.examp1e.com. 3583 IN CNAME chain88.examp1e.com. >>> chain88.examp1e.com. 3583 IN CNAME chain87.examp1e.com. >>> chain87.examp1e.com. 3583 IN CNAME chain86.examp1e.com. >>> chain86.examp1e.com. 3583 IN CNAME chain85.examp1e.com. >>> chain85.examp1e.com. 3577 IN CNAME chain84.examp1e.com. >>> chain84.examp1e.com. 3578 IN CNAME chain83.examp1e.com. >>> chain83.examp1e.com. 3578 IN CNAME chain82.examp1e.com. >>> chain82.examp1e.com. 3578 IN CNAME chain81.examp1e.com. >>> chain81.examp1e.com. 3579 IN CNAME chain80.examp1e.com. >>> chain80.examp1e.com. 3570 IN CNAME chain79.examp1e.com. >>> chain79.examp1e.com. 3571 IN CNAME chain78.examp1e.com. >>> chain78.examp1e.com. 3571 IN CNAME chain77.examp1e.com. >>> chain77.examp1e.com. 3571 IN CNAME chain76.examp1e.com. >>> chain76.examp1e.com. 3572 IN CNAME chain75.examp1e.com. >>> chain75.examp1e.com. 3564 IN CNAME chain74.examp1e.com. >>> chain74.examp1e.com. 3564 IN CNAME chain73.examp1e.com. >>> chain73.examp1e.com. 3564 IN CNAME chain72.examp1e.com. >>> chain72.examp1e.com. 3564 IN CNAME chain71.examp1e.com. >>> chain71.examp1e.com. 3564 IN CNAME chain70.examp1e.com. >>> chain70.examp1e.com. 3519 IN CNAME chain69.examp1e.com. >>> chain69.examp1e.com. 3519 IN CNAME chain68.examp1e.com. >>> chain68.examp1e.com. 3519 IN CNAME chain67.examp1e.com. >>> chain67.examp1e.com. 3519 IN CNAME chain66.examp1e.com. >>> chain66.examp1e.com. 3519 IN CNAME chain65.examp1e.com. >>> chain65.examp1e.com. 3519 IN CNAME chain64.examp1e.com. >>> chain64.examp1e.com. 3520 IN CNAME chain63.examp1e.com. >>> chain63.examp1e.com. 3520 IN CNAME chain62.examp1e.com. >>> chain62.examp1e.com. 3520 IN CNAME chain61.examp1e.com. >>> chain61.examp1e.com. 3554 IN CNAME chain60.examp1e.com. >>> chain60.examp1e.com. 3549 IN CNAME chain59.examp1e.com. >>> chain59.examp1e.com. 3549 IN CNAME chain58.examp1e.com. >>> chain58.examp1e.com. 3549 IN CNAME chain57.examp1e.com. >>> chain57.examp1e.com. 3549 IN CNAME chain56.examp1e.com. >>> chain56.examp1e.com. 3549 IN CNAME chain55.examp1e.com. >>> chain55.examp1e.com. 3535 IN CNAME chain54.examp1e.com. >>> chain54.examp1e.com. 3536 IN CNAME chain53.examp1e.com. >>> chain53.examp1e.com. 3536 IN CNAME chain52.examp1e.com. >>> chain52.examp1e.com. 3536 IN CNAME chain51.examp1e.com. >>> chain51.examp1e.com. 3536 IN CNAME chain50.examp1e.com. >>> chain50.examp1e.com. 3536 IN CNAME chain49.examp1e.com. >>> chain49.examp1e.com. 3536 IN CNAME chain48.examp1e.com. >>> chain48.examp1e.com. 3536 IN CNAME chain47.examp1e.com. >>> chain47.examp1e.com. 3536 IN CNAME chain46.examp1e.com. >>> chain46.examp1e.com. 3541 IN CNAME chain45.examp1e.com. >>> chain45.examp1e.com. 3531 IN CNAME chain44.examp1e.com. >>> chain44.examp1e.com. 3531 IN CNAME chain43.examp1e.com. >>> chain43.examp1e.com. 3531 IN CNAME chain42.examp1e.com. >>> chain42.examp1e.com. 3531 IN CNAME chain41.examp1e.com. >>> chain41.examp1e.com. 3531 IN CNAME chain40.examp1e.com. >>> chain40.examp1e.com. 3525 IN CNAME chain39.examp1e.com. >>> chain39.examp1e.com. 3526 IN CNAME chain38.examp1e.com. >>> chain38.examp1e.com. 3526 IN CNAME chain37.examp1e.com. >>> chain37.examp1e.com. 3526 IN CNAME chain36.examp1e.com. >>> chain36.examp1e.com. 3526 IN CNAME chain35.examp1e.com. >>> chain35.examp1e.com. 3513 IN CNAME chain34.examp1e.com. >>> chain34.examp1e.com. 3513 IN CNAME chain33.examp1e.com. >>> chain33.examp1e.com. 3513 IN CNAME chain32.examp1e.com. >>> chain32.examp1e.com. 3513 IN CNAME chain31.examp1e.com. >>> chain31.examp1e.com. 3513 IN CNAME chain30.examp1e.com. >>> chain30.examp1e.com. 3508 IN CNAME chain29.examp1e.com. >>> chain29.examp1e.com. 3508 IN CNAME chain28.examp1e.com. >>> chain28.examp1e.com. 3508 IN CNAME chain27.examp1e.com. >>> chain27.examp1e.com. 3508 IN CNAME chain26.examp1e.com. >>> chain26.examp1e.com. 3508 IN CNAME chain25.examp1e.com. >>> chain25.examp1e.com. 3499 IN CNAME chain24.examp1e.com. >>> chain24.examp1e.com. 3499 IN CNAME chain23.examp1e.com. >>> chain23.examp1e.com. 3500 IN CNAME chain22.examp1e.com. >>> chain22.examp1e.com. 3500 IN CNAME chain21.examp1e.com. >>> chain21.examp1e.com. 3500 IN CNAME chain20.examp1e.com. >>> chain20.examp1e.com. 3447 IN CNAME chain19.examp1e.com. >>> chain19.examp1e.com. 3447 IN CNAME chain18.examp1e.com. >>> chain18.examp1e.com. 3447 IN CNAME chain17.examp1e.com. >>> chain17.examp1e.com. 3448 IN CNAME chain16.examp1e.com. >>> chain16.examp1e.com. 3448 IN CNAME chain15.examp1e.com. >>> chain15.examp1e.com. 3448 IN CNAME chain14.examp1e.com. >>> chain14.examp1e.com. 3448 IN CNAME chain13.examp1e.com. >>> chain13.examp1e.com. 3448 IN CNAME chain12.examp1e.com. >>> chain12.examp1e.com. 3449 IN CNAME chain11.examp1e.com. >>> chain11.examp1e.com. 3486 IN CNAME chain10.examp1e.com. >>> chain10.examp1e.com. 3455 IN CNAME chain9.examp1e.com. >>> chain9.examp1e.com. 3455 IN CNAME chain8.examp1e.com. >>> chain8.examp1e.com. 3455 IN CNAME chain7.examp1e.com. >>> chain7.examp1e.com. 3455 IN CNAME chain6.examp1e.com. >>> chain6.examp1e.com. 3455 IN CNAME chain5.examp1e.com. >>> chain5.examp1e.com. 3455 IN CNAME chain4.examp1e.com. >>> chain4.examp1e.com. 3455 IN CNAME chain3.examp1e.com. >>> chain3.examp1e.com. 3455 IN CNAME chain2.examp1e.com. >>> chain2.examp1e.com. 3455 IN CNAME chain1.examp1e.com. >>> chain1.examp1e.com. 3466 IN CNAME chain0.examp1e.com. >>> chain0.examp1e.com. 3460 IN A 64.57.183.119 >>> >>> ;; Query time: 2 msec >>> ;; SERVER: 192.168.80.2#53(192.168.80.2) >>> ;; WHEN: Wed May 27 13:31:17 EDT 2020 >>> ;; MSG SIZE rcvd: 2275 >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >> > Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Evan Hunt
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Paul Vixie
- Re: [DNSOP] CNAME chain length limits Tony Finch
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Mark Andrews
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon