Bug#373781: resolver fails if CNAME points to A record in non-authoritative domain

Thu, 15 Jun 2006 07:55:53 -0700 

Package: libc6
Version: 2.3.2.ds1-22sarge3
Severity: normal

[this problem exists in libc6 all through unstable]

I set up our internal DNS server to answer a query for
gluck.mydebian.org with a CNAME for gluck.debian.org. However,
I cannot access it:

  piper:~> host gluck.mydebian.org
  gluck.mydebian.org    CNAME gluck.debian.org
  gluck.debian.org      A 192.25.206.10
  piper:~> ping gluck.mydebian.org
  ping: unknown host gluck.mydebian.org

The reason seems to be that the CNAME response does not contain the
A record, and the resolver doesn't bother to go out to resolve the
name pointed to by the CNAME.

This is what happens if I resolve a CNAME outside of my own network,
so my DNS server is caching/recursing only:

  192.168.20.21 -> 192.168.20.1 DNS Standard query A ftp.ch.debian.org
  192.168.20.1 -> 192.168.20.21 DNS Standard query response CNAME 
debian.ethz.ch A 129.132.86.196

Notice how the answer includes the A record.

This is what happens if the CNAME is resolved internally, but the
A record has to be resolved externally (or the other way around,
CNAME externally and A record internally):

  192.168.20.21 -> 192.168.20.1 DNS Standard query A gluck.mydebian.org
  192.168.20.1 -> 192.168.20.21 DNS Standard query response CNAME 
gluck.debian.org

Note the lack of A record.

Arguably, my DNS server (maradns) is at fault here, for it fails to
do the work the way one might expect. But in either case, the local
resolver *should* be able to cope with the situation, just like the
`host' utility:

  192.168.20.21 -> 192.168.20.1 DNS Standard query A gluck.mydebian.org
  192.168.20.1 -> 192.168.20.21 DNS Standard query response CNAME 
gluck.debian.org
  192.168.20.21 -> 192.168.20.1 DNS Standard query A gluck.debian.org
  192.168.20.1 -> 192.168.20.21 DNS Standard query response A 192.25.206.10

... which means that if all it gets is a CNAME in response to
request of (almost) any type, it should repeat the request for the
same type with the new name, IMHO.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[EMAIL PROTECTED]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply via email to