Re: [DNSOP] CNAME chain length limits
Eric Orth <ericorth@google.com> Wed, 27 May 2020 19:03 UTC
Return-Path: <ericorth@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD0753A087F for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.79
X-Spam-Level:
X-Spam-Status: No, score=-14.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lktN8nA9LlOl for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 12:03:39 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 265343A0877 for <dnsop@ietf.org>; Wed, 27 May 2020 12:03:39 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id l26so562211wme.3 for <dnsop@ietf.org>; Wed, 27 May 2020 12:03:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KPjnIRMe28ms8RbcSDUsT7amwzAfU9pfE83RlBeTLBc=; b=QsCUyHR/tSw2EOGplBFw5zAGP9yVRf+sfwo7ROXgwdN2+nQYOT3UU07spGXxutgkkV zOM2R6RAdDz5/kutHDuc7EOWJue5IIzoq4QyKyhyjp2RjbWTqw3+StmR3wPQxBkuINCA 808VjIKwBfg953HcuRhE9SJGaEXlJHI9d7pLhnDVJq3jT44QL1zHw0xTFfJCFZF69uCV UENeSNjuiD4nvY6QsjUyd3EeyFIl0xcj+rVw2G1U5BKuB3l0Y6JmClJub+9KIf2zFhlQ FGDyHrvIkStHjBrioa6S4Mjxkb/nvfR6tCl7+Y2mQ41+EbpeJb2ZtV7x2YWe6IqpBMii AZVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KPjnIRMe28ms8RbcSDUsT7amwzAfU9pfE83RlBeTLBc=; b=tvAejHK6U5GJWy8tMA9ZUw7pCZPZgMCYXtghJMR92r45m77UJ/9PrnoA/J1sA1YyCB 9CTKncAKSfTGNu/BqS1g/tNZJA6328UtbeyJbqGS5uswAv1zui4b1o0KpXq4Nymj2sqM W+z2VZaDcIpCSKs9lJPNAFHXgc33FWMg42LpmE4hgCMqLQr8KR4J9XhOLTosbMwVeg2W s2ZsO0OlMPHBwd+ItNwetlR05F+eNbYB3OoyKduSuVIeSH0gJpWqgqLmmVWyd15aknJ7 gxSATL6p4ZuXmNbty/SgjVJ15xxbyk7wR73VquOqxqSbVFRqY6FYTsUPs45QQBDYr34g oo1g==
X-Gm-Message-State: AOAM533tVIwZJ7Q9C/bqj/a3AFd01mL6z1Z40jUZkVguECb0UH+ayaOp WjjF4SXcPzV2E1bX7bXtRuTz/sbqc5gzLY9Z9HRk2z+w
X-Google-Smtp-Source: ABdhPJyoNWz8wmNpLI5YzPfAwVzDxV9eIDudFpb+tDam4A/P4YjhDsrbnwWSfWfRT3VgvYG5Mi3IwL0ltWFrbWw8zZs=
X-Received: by 2002:a05:600c:206:: with SMTP id 6mr5558477wmi.170.1590606217187; Wed, 27 May 2020 12:03:37 -0700 (PDT)
MIME-Version: 1.0
References: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy>
In-Reply-To: <alpine.OSX.2.22.407.2005271341530.35268@ary.qy>
From: Eric Orth <ericorth@google.com>
Date: Wed, 27 May 2020 15:03:26 -0400
Message-ID: <CAMOjQcFY4CpM_a7Q=KZ7UTuPW4SdRX1CNcSbviw0FSfDSt6_hA@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008df28305a6a5dee5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uJu2hAGBJDNnVrpcsUBhRbiKNFo>
Subject: Re: [DNSOP] CNAME chain length limits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 19:03:42 -0000
On Wed, May 27, 2020 at 1:49 PM John R Levine <johnl@taugh.com> wrote: > While I should have been doing something else, I made a rather long CNAME > chain. When I looked up chain.examp1e.com it got SERVFAIL, but after I > warmed up my cache five links at a time by looking for chain5, chain10, > chain15, and so forth, it worked. At least it worked in "dig" and "host". > When I try and look up http://chain.examp1e.com, Chrome waits a while > and says not found, If Chrome is using its built-in stub, there's not expected to be a limit (other than the overall message size limits), but nothing tests chains this long other than security fuzzers that are only looking for crashes or memory issues. > Firefox waits a while and says "Hmm. We’re having > trouble finding that site." and Safari on my Mac hangs. (Feel free to try > it yourself.) > > I realize the answer to most questions like this can be summarized as > "don't do that", but is there any consensus as to the maximum CNAME chain > length that works reliably, and what happens if the chain is too long? > Hanging seems sub-optimal. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > $ dig chain.examp1e.com A > ;; Truncated, retrying in TCP mode. > > ; <<>> DiG 9.10.6 <<>> chain.examp1e.com a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59001 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 102, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;chain.examp1e.com. IN A > > ;; ANSWER SECTION: > chain.examp1e.com. 3371 IN CNAME chain100.examp1e.com. > chain100.examp1e.com. 3371 IN CNAME chain99.examp1e.com. > chain99.examp1e.com. 3371 IN CNAME chain98.examp1e.com. > chain98.examp1e.com. 3371 IN CNAME chain97.examp1e.com. > chain97.examp1e.com. 3371 IN CNAME chain96.examp1e.com. > chain96.examp1e.com. 3372 IN CNAME chain95.examp1e.com. > chain95.examp1e.com. 3372 IN CNAME chain94.examp1e.com. > chain94.examp1e.com. 3372 IN CNAME chain93.examp1e.com. > chain93.examp1e.com. 3372 IN CNAME chain92.examp1e.com. > chain92.examp1e.com. 3589 IN CNAME chain91.examp1e.com. > chain91.examp1e.com. 3589 IN CNAME chain90.examp1e.com. > chain90.examp1e.com. 3583 IN CNAME chain89.examp1e.com. > chain89.examp1e.com. 3583 IN CNAME chain88.examp1e.com. > chain88.examp1e.com. 3583 IN CNAME chain87.examp1e.com. > chain87.examp1e.com. 3583 IN CNAME chain86.examp1e.com. > chain86.examp1e.com. 3583 IN CNAME chain85.examp1e.com. > chain85.examp1e.com. 3577 IN CNAME chain84.examp1e.com. > chain84.examp1e.com. 3578 IN CNAME chain83.examp1e.com. > chain83.examp1e.com. 3578 IN CNAME chain82.examp1e.com. > chain82.examp1e.com. 3578 IN CNAME chain81.examp1e.com. > chain81.examp1e.com. 3579 IN CNAME chain80.examp1e.com. > chain80.examp1e.com. 3570 IN CNAME chain79.examp1e.com. > chain79.examp1e.com. 3571 IN CNAME chain78.examp1e.com. > chain78.examp1e.com. 3571 IN CNAME chain77.examp1e.com. > chain77.examp1e.com. 3571 IN CNAME chain76.examp1e.com. > chain76.examp1e.com. 3572 IN CNAME chain75.examp1e.com. > chain75.examp1e.com. 3564 IN CNAME chain74.examp1e.com. > chain74.examp1e.com. 3564 IN CNAME chain73.examp1e.com. > chain73.examp1e.com. 3564 IN CNAME chain72.examp1e.com. > chain72.examp1e.com. 3564 IN CNAME chain71.examp1e.com. > chain71.examp1e.com. 3564 IN CNAME chain70.examp1e.com. > chain70.examp1e.com. 3519 IN CNAME chain69.examp1e.com. > chain69.examp1e.com. 3519 IN CNAME chain68.examp1e.com. > chain68.examp1e.com. 3519 IN CNAME chain67.examp1e.com. > chain67.examp1e.com. 3519 IN CNAME chain66.examp1e.com. > chain66.examp1e.com. 3519 IN CNAME chain65.examp1e.com. > chain65.examp1e.com. 3519 IN CNAME chain64.examp1e.com. > chain64.examp1e.com. 3520 IN CNAME chain63.examp1e.com. > chain63.examp1e.com. 3520 IN CNAME chain62.examp1e.com. > chain62.examp1e.com. 3520 IN CNAME chain61.examp1e.com. > chain61.examp1e.com. 3554 IN CNAME chain60.examp1e.com. > chain60.examp1e.com. 3549 IN CNAME chain59.examp1e.com. > chain59.examp1e.com. 3549 IN CNAME chain58.examp1e.com. > chain58.examp1e.com. 3549 IN CNAME chain57.examp1e.com. > chain57.examp1e.com. 3549 IN CNAME chain56.examp1e.com. > chain56.examp1e.com. 3549 IN CNAME chain55.examp1e.com. > chain55.examp1e.com. 3535 IN CNAME chain54.examp1e.com. > chain54.examp1e.com. 3536 IN CNAME chain53.examp1e.com. > chain53.examp1e.com. 3536 IN CNAME chain52.examp1e.com. > chain52.examp1e.com. 3536 IN CNAME chain51.examp1e.com. > chain51.examp1e.com. 3536 IN CNAME chain50.examp1e.com. > chain50.examp1e.com. 3536 IN CNAME chain49.examp1e.com. > chain49.examp1e.com. 3536 IN CNAME chain48.examp1e.com. > chain48.examp1e.com. 3536 IN CNAME chain47.examp1e.com. > chain47.examp1e.com. 3536 IN CNAME chain46.examp1e.com. > chain46.examp1e.com. 3541 IN CNAME chain45.examp1e.com. > chain45.examp1e.com. 3531 IN CNAME chain44.examp1e.com. > chain44.examp1e.com. 3531 IN CNAME chain43.examp1e.com. > chain43.examp1e.com. 3531 IN CNAME chain42.examp1e.com. > chain42.examp1e.com. 3531 IN CNAME chain41.examp1e.com. > chain41.examp1e.com. 3531 IN CNAME chain40.examp1e.com. > chain40.examp1e.com. 3525 IN CNAME chain39.examp1e.com. > chain39.examp1e.com. 3526 IN CNAME chain38.examp1e.com. > chain38.examp1e.com. 3526 IN CNAME chain37.examp1e.com. > chain37.examp1e.com. 3526 IN CNAME chain36.examp1e.com. > chain36.examp1e.com. 3526 IN CNAME chain35.examp1e.com. > chain35.examp1e.com. 3513 IN CNAME chain34.examp1e.com. > chain34.examp1e.com. 3513 IN CNAME chain33.examp1e.com. > chain33.examp1e.com. 3513 IN CNAME chain32.examp1e.com. > chain32.examp1e.com. 3513 IN CNAME chain31.examp1e.com. > chain31.examp1e.com. 3513 IN CNAME chain30.examp1e.com. > chain30.examp1e.com. 3508 IN CNAME chain29.examp1e.com. > chain29.examp1e.com. 3508 IN CNAME chain28.examp1e.com. > chain28.examp1e.com. 3508 IN CNAME chain27.examp1e.com. > chain27.examp1e.com. 3508 IN CNAME chain26.examp1e.com. > chain26.examp1e.com. 3508 IN CNAME chain25.examp1e.com. > chain25.examp1e.com. 3499 IN CNAME chain24.examp1e.com. > chain24.examp1e.com. 3499 IN CNAME chain23.examp1e.com. > chain23.examp1e.com. 3500 IN CNAME chain22.examp1e.com. > chain22.examp1e.com. 3500 IN CNAME chain21.examp1e.com. > chain21.examp1e.com. 3500 IN CNAME chain20.examp1e.com. > chain20.examp1e.com. 3447 IN CNAME chain19.examp1e.com. > chain19.examp1e.com. 3447 IN CNAME chain18.examp1e.com. > chain18.examp1e.com. 3447 IN CNAME chain17.examp1e.com. > chain17.examp1e.com. 3448 IN CNAME chain16.examp1e.com. > chain16.examp1e.com. 3448 IN CNAME chain15.examp1e.com. > chain15.examp1e.com. 3448 IN CNAME chain14.examp1e.com. > chain14.examp1e.com. 3448 IN CNAME chain13.examp1e.com. > chain13.examp1e.com. 3448 IN CNAME chain12.examp1e.com. > chain12.examp1e.com. 3449 IN CNAME chain11.examp1e.com. > chain11.examp1e.com. 3486 IN CNAME chain10.examp1e.com. > chain10.examp1e.com. 3455 IN CNAME chain9.examp1e.com. > chain9.examp1e.com. 3455 IN CNAME chain8.examp1e.com. > chain8.examp1e.com. 3455 IN CNAME chain7.examp1e.com. > chain7.examp1e.com. 3455 IN CNAME chain6.examp1e.com. > chain6.examp1e.com. 3455 IN CNAME chain5.examp1e.com. > chain5.examp1e.com. 3455 IN CNAME chain4.examp1e.com. > chain4.examp1e.com. 3455 IN CNAME chain3.examp1e.com. > chain3.examp1e.com. 3455 IN CNAME chain2.examp1e.com. > chain2.examp1e.com. 3455 IN CNAME chain1.examp1e.com. > chain1.examp1e.com. 3466 IN CNAME chain0.examp1e.com. > chain0.examp1e.com. 3460 IN A 64.57.183.119 > > ;; Query time: 2 msec > ;; SERVER: 192.168.80.2#53(192.168.80.2) > ;; WHEN: Wed May 27 13:31:17 EDT 2020 > ;; MSG SIZE rcvd: 2275 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Evan Hunt
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Eric Orth
- Re: [DNSOP] CNAME chain length limits Paul Vixie
- Re: [DNSOP] CNAME chain length limits Tony Finch
- Re: [DNSOP] CNAME chain length limits dagon
- Re: [DNSOP] CNAME chain length limits Mark Andrews
- Re: [DNSOP] CNAME chain length limits John R Levine
- Re: [DNSOP] CNAME chain length limits dagon