Don't return dereferenced CNAMEs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Don't return dereferenced CNAMEs

Mark Moseley
I'm curious if there's a setting to tell powerdns not to be helpful and return the dereferenced CNAME.

That is, if I look up a given record and it's a CNAME that then points to an A record, don't try to then *also* return a lookup of the A record along with the CNAME.

The reasons for why it'd happen in our setup are annoying and I don't want to go into it :)

I've tried settingĀ out-of-zone-additional-processing to 'no' but that doesn't seem to change anything.

It doesn't to break anything (and presumably a resolver that paid attention to these records would be subject to cache poisoning). But it's kind of weird and could be confusing to people looking at manual lookups.

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Don't return dereferenced CNAMEs

ktm@rice.edu
On Mon, Jun 08, 2015 at 02:51:13PM -0700, Mark Moseley wrote:

> I'm curious if there's a setting to tell powerdns not to be helpful and
> return the dereferenced CNAME.
>
> That is, if I look up a given record and it's a CNAME that then points to
> an A record, don't try to then *also* return a lookup of the A record along
> with the CNAME.
>
> The reasons for why it'd happen in our setup are annoying and I don't want
> to go into it :)
>
> I've tried setting out-of-zone-additional-processing to 'no' but that
> doesn't seem to change anything.
>
> It doesn't to break anything (and presumably a resolver that paid attention
> to these records would be subject to cache poisoning). But it's kind of
> weird and could be confusing to people looking at manual lookups.

Hi Mark,

I think you will find that a lot of software will work quite poorly if
you do this. If you are performing a manual lookup, just ask for the
CNAME type in the lookup and that is what you will get.

Regards,
Ken

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Don't return dereferenced CNAMEs

Aki Tuomi
On Mon, Jun 08, 2015 at 05:04:50PM -0500, [hidden email] wrote:

> On Mon, Jun 08, 2015 at 02:51:13PM -0700, Mark Moseley wrote:
> > I'm curious if there's a setting to tell powerdns not to be helpful and
> > return the dereferenced CNAME.
> >
> > That is, if I look up a given record and it's a CNAME that then points to
> > an A record, don't try to then *also* return a lookup of the A record along
> > with the CNAME.
> >
> > The reasons for why it'd happen in our setup are annoying and I don't want
> > to go into it :)
> >
> > I've tried setting out-of-zone-additional-processing to 'no' but that
> > doesn't seem to change anything.
> >
> > It doesn't to break anything (and presumably a resolver that paid attention
> > to these records would be subject to cache poisoning). But it's kind of
> > weird and could be confusing to people looking at manual lookups.
>
> Hi Mark,
>
> I think you will find that a lot of software will work quite poorly if
> you do this. If you are performing a manual lookup, just ask for the
> CNAME type in the lookup and that is what you will get.
>
> Regards,
> Ken
>

It will be deferenced if

 - you asked for something else than cname
 - you had recursion desired (use +norec)
 - the server has recursor setting defined
 - or has local answer

Aki

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Don't return dereferenced CNAMEs

Aki Tuomi
On Tue, Jun 09, 2015 at 09:19:09AM +0300, Aki Tuomi wrote:

> On Mon, Jun 08, 2015 at 05:04:50PM -0500, [hidden email] wrote:
> > On Mon, Jun 08, 2015 at 02:51:13PM -0700, Mark Moseley wrote:
> > > I'm curious if there's a setting to tell powerdns not to be helpful and
> > > return the dereferenced CNAME.
> > >
> > > That is, if I look up a given record and it's a CNAME that then points to
> > > an A record, don't try to then *also* return a lookup of the A record along
> > > with the CNAME.
> > >
> > > The reasons for why it'd happen in our setup are annoying and I don't want
> > > to go into it :)
> > >
> > > I've tried setting out-of-zone-additional-processing to 'no' but that
> > > doesn't seem to change anything.
> > >
> > > It doesn't to break anything (and presumably a resolver that paid attention
> > > to these records would be subject to cache poisoning). But it's kind of
> > > weird and could be confusing to people looking at manual lookups.
> >
> > Hi Mark,
> >
> > I think you will find that a lot of software will work quite poorly if
> > you do this. If you are performing a manual lookup, just ask for the
> > CNAME type in the lookup and that is what you will get.
> >
> > Regards,
> > Ken
> >
>
> It will be deferenced if
>
>  - you asked for something else than cname
>  - you had recursion desired (use +norec)
>  - the server has recursor setting defined
>  - or has local answer
>
> Aki

A smsll clarification, I intended to say that use +norec to
negate dig default which is to set recursion desired on.

Aki

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Don't return dereferenced CNAMEs

Peter van Dijk
In reply to this post by Mark Moseley
Hello Mark,

On 8 Jun 2015, at 23:51, Mark Moseley wrote:

> I'm curious if there's a setting to tell powerdns not to be helpful
> and
> return the dereferenced CNAME.

No - truncating alias chains is wrong and can cause resolution failures
in conforming resolvers.

> The reasons for why it'd happen in our setup are annoying and I don't
> want
> to go into it :)

Please do try to explain, it is the only way we can help!

> I've tried setting out-of-zone-additional-processing to 'no' but that
> doesn't seem to change anything.

Additional processing is, indeed, not about CNAMEs, but about adding
A/AAAA records to the ADDITIONAL section of the response, for MX records
for example.

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users