[ADNS] Re: CNAME chains 
Brad Spencer spencer at infointeractive.com 
Mon, 28 Aug 2006 14:43:00 -0300 

Previous message: CNAME chains 
Next message: CNAME chains option 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Aug 25, 2006 at 11:36:04AM -0700, William Ahern wrote:
> On Fri, Aug 25, 2006 at 09:39:01AM +0100, peter burden wrote:
> > Hello,
> >    Is there any way to make ADNS follow CNAME chains ?
> > 
> >    I have set the adns_qf_cname_loose query flag and it seems OK for a 
> > single
> >    CNAME - e.g. (output from 'dig')

I posted a small patch back in 2003 that made changes to adns so that
it would follow CNAME chains.  See

http://www.chiark.greenend.org.uk/pipermail/adns-discuss/2003/001072.html

The patch included in that post is against an old adns version, so I
have attached my latest version of the patch to this message.  (I have
not tested that the attached patch applied cleanly to the current adns
source, but it may be slightly more in sync with the current version.)

> CNAME chains are technically not allowed. Such chains are violations of the
> specifications. Also, I believe MX host lookups returning CNAMEs (i.e. MX
> yahoo.com -> A mail.yahoo.com -> CNAME foo) is also illegal.

I have also been told that CNAME chains are illegal, but I can not
find any actual text that says that a resolver should fail when it
encounters them.  In fact, RFC 1034 Section 3.6.2 says:

  Domain names in RRs which point at another name should always point at
  the primary name and not the alias.  This avoids extra indirections in
  accessing information.  For example, the address to name RR for the
  above host should be:

     52.0.0.10.IN-ADDR.ARPA  IN      PTR     C.ISI.EDU

  rather than pointing at USC-ISIC.ARPA.

The above implies that CNAME chains are illegal, IMO.  But then, the
next sentence is:

  Of course, by the robustness principle, domain software should not
  fail when presented with CNAME chains or loops; CNAME chains
  should be followed and CNAME loops signalled as an error.

This advice, coupled with the fact that CNAME chains exist in the
wild, triggered me to create the patch in the first place.  My patch
doesn't detect loops, but instead simply won't follow chains longer
than a certain (hard-coded) size.

Hope this helps!

-- 
------------------------------------------------------------------
Brad Spencer - spencer@infointeractive.com - "It's quite nice..."
Systems Architect | InfoInterActive Corp. | A Canadian AOL Company

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="cname_chains.diff"

Index: adns-1.0/src/internal.h
===================================================================
RCS file: /iia/cvsroot/3rdParty/gnu/adns/adns-1.0/src/internal.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- adns-1.0/src/internal.h	2 Oct 2003 17:01:46 -0000	1.3
+++ adns-1.0/src/internal.h	2 Oct 2003 17:14:29 -0000	1.4
@@ -206,6 +206,9 @@ struct adns__query {
   int cname_dglen, cname_begin;
   /* If non-0, has been allocated using . */
 
+  int cname_alias_hops_left;
+  /* The number of cname alias hops we will allow */
+
   vbuf search_vb;
   int search_origlen, search_pos, search_doneabs;
   /* Used by the searching algorithm.  The query domain in textual form
Index: adns-1.0/src/query.c
===================================================================
RCS file: /iia/cvsroot/3rdParty/gnu/adns/adns-1.0/src/query.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- adns-1.0/src/query.c	2 Oct 2003 17:01:47 -0000	1.3
+++ adns-1.0/src/query.c	2 Oct 2003 17:14:29 -0000	1.4
@@ -63,6 +63,8 @@ static adns_query query_alloc(adns_state
 
   qu->cname_dgram= 0;
   qu->cname_dglen= qu->cname_begin= 0;
+  /* Allow CNAME chains up to some sane limit */
+  qu->cname_alias_hops_left = 10;
 
   adns__vbuf_init(&qu->search_vb);
   qu->search_origlen= qu->search_pos= qu->search_doneabs= 0;
Index: adns-1.0/src/reply.c
===================================================================
RCS file: /iia/cvsroot/3rdParty/gnu/adns/adns-1.0/src/reply.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- adns-1.0/src/reply.c	2 Oct 2003 17:01:47 -0000	1.3
+++ adns-1.0/src/reply.c	2 Oct 2003 17:14:30 -0000	1.4
@@ -191,12 +191,13 @@ void adns__procdgram(adns_state ads, con
       if (qu->flags & adns_qf_cname_forbid) {
 	adns__query_fail(qu,adns_s_prohibitedcname);
 	return;
-      } else if (qu->cname_dgram) { /* Ignore second and subsequent CNAME(s) */
+      } else if (qu->cname_dgram && --(qu->cname_alias_hops_left) <= 0) { /* Don't follow "too long" CNAME chains */
 	adns__debug(ads,serv,qu,"allegedly canonical name %s"
-		    " is actually alias for %s", qu->answer->cname,
+		    " is actually alias for %s and aliases too deep",
+                    qu->answer->cname,
 		    adns__diag_domain(ads,serv,qu, &qu->vb,
 				      dgram,dglen,rdstart));
-	adns__query_fail(qu,adns_s_prohibitedcname);
+	adns__query_fail(qu,adns_s_norecurse);
 	return;
       } else if (wantedrrs) { /* Ignore CNAME(s) after RR(s). */
 	adns__debug(ads,serv,qu,"ignoring CNAME (to %s) coexisting with RR",

--pf9I7BMVVzbSWLtt--