4

RFC 1034+1035 state the CNAME records should cause no additional section processing. But I am seeing an increasing trend of services like wordpress sending a CNAME chain with one part of the chain in the additional section. So, without parsing the additional section you cannot decode the DNS response.

Example:

;; QUESTION SECTION:
;after12.failblog.org.      IN  A

;; ANSWER SECTION:
after12.failblog.org.   3600    IN  CNAME   chzallnighter.wordpress.com.
vip-lb.wordpress.com.   300 IN  A   72.233.104.123
vip-lb.wordpress.com.   300 IN  A   76.74.255.117
vip-lb.wordpress.com.   300 IN  A   74.200.247.187
vip-lb.wordpress.com.   300 IN  A   74.200.247.59
vip-lb.wordpress.com.   300 IN  A   76.74.255.123
vip-lb.wordpress.com.   300 IN  A   72.233.127.217

;; AUTHORITY SECTION:
wordpress.com.      14400   IN  NS  ns1.wordpress.com.
wordpress.com.      14400   IN  NS  ns2.wordpress.com.
wordpress.com.      14400   IN  NS  ns3.wordpress.com.
wordpress.com.      14400   IN  NS  ns4.wordpress.com.
wordpress.com.      14400   IN  NS  ns5.wordpress.com.
wordpress.com.      14400   IN  NS  ns6.wordpress.com.

;; ADDITIONAL SECTION:
chzallnighter.wordpress.com. 300 IN CNAME   vip-lb.wordpress.com.
ns1.wordpress.com.  14400   IN  A   72.233.69.14
ns2.wordpress.com.  14400   IN  A   76.74.159.137
ns3.wordpress.com.  14400   IN  A   64.34.177.159
ns4.wordpress.com.  14400   IN  A   72.233.104.98
ns5.wordpress.com.  14400   IN  A   69.174.248.140
ns6.wordpress.com.  14400   IN  A   64.34.174.135

Note chzallnighter.wordpress.com. 300 IN CNAME vip-lb.wordpress.com. is in the Additional section and without it you cannot get to A records in the Answer.

Why are providers using such a tactic and what does it really buy them ?

Shog9
  • 156,901
  • 35
  • 231
  • 235
creatiwit
  • 221
  • 2
  • 11

1 Answers1

3

The server you're talking to happens to be authoritative for both domains and gives you whatever it has. A smart client could optimize for this type of response, avoiding round-trips. One of those stretch-the-spec "make the web faster" type things.

A naive client might not notice that the server is authoritative for the CNAMEd domain, discard the additional data and re-query - ensuring a correct, secure result. A smart client can short-circuit a second query by noticing that it had asked server X for the original domain and that server X is also in the list of authoritative servers for the CNAMEd domain. Therefore the CNAME in the additional section is trustable.

Julian
  • 2,814
  • 21
  • 31
  • This is just one example, any blog hosted on wordpress has the same resolution, as well as set of select CDNs. MaraDNS had a bug fixed because of this and BIND allows this as a valid response. Is my reading of the RFC incorrect or is this not an invalid response ? – creatiwit Jun 25 '12 at 20:50
  • Can you quote chapter & verse from the RFC which makes you think this might be illegal? – Julian Jun 25 '12 at 21:03
  • you are not specifying the NS to query for dig. it should be dig "@"ns1.wordpress.com, otherwise you are just getting a cached response from your resolver. RFC 1035 "CNAME RRs cause no additional section processing, but name servers may choose to restart the query at the canonical name in certain cases.". RFC 2181: "Additional section processing does not include CNAME records, let alone the address records that may be associated with the canonical name derived from the alias." – creatiwit Jun 25 '12 at 21:10
  • exactly, additional are fyi they cannot be made to be an integral part of the resolution. In fact some DNS servers won't even cache additional records. I just don't why this is becoming an acceptable practice – creatiwit Jun 25 '12 at 21:15
  • Hm, as I read the first quote - it does not exclude processing the additional section - just that it does not automatically induce such processing. The second quote is in a section related to MX and NS records - the section starts with "resource record must not be an alias." But this wouldn't apply to A records. – Julian Jun 25 '12 at 21:15