[dns-operations] DNAME with LHS matching zone apex

Ben Scott mailvortex at gmail.com
Mon Feb 13 20:57:56 UTC 2012


Hello, world!

  Long time lurker, first time poster.

  In another forum, someone was trying to override a certain record in
a DNS zone he's not authoritative for.  While there are other ways to
do this, he's hit upon a solution using DNAME that he says works for
him.  I suspect his idea is, at best, an unexpected use of DNAME, if
not an actual violation of specification.  However, I didn't find
anything in RFC-2672 which addressed it explicitly.  So I thought I'd
float the idea here.  If anyone wants to comment, great.  If not, at
least the fact that people are (ab)using DNAME this way is now more
widely known.

  Anyway, the guy wants to make it so that queries for
<www.google.com.> return the records for <nosslsearch.google.com.>.
(Whether or not this is an effective policy-enforcement mechanism is
out-of-scope.)  He also wants to avoid having to manually mirror
Google's entire DNS.

  His solution was to claim authority for a zone <www.google.com.> on
his full-service resolvers, with records of the form:

	www.google.com.     SOA     dc1.example.com. ...
	www.google.com.     NS      dc1.example.com.
	www.google.com.     NS      dc2.example.com.
	www.google.com.     DNAME   nosslsearch.google.com.

  He claims this appears to work, in his testing.  He says he's
running Microsoft Windows Server 2008 R2 for the server, and that his
clients are varied (at least Win, Mac, and iOS), but mostly Win 7.

  I can't find anything explicitly addressing this in RFC-2672.  (This
is not to say it doesn't exist; just that I can't find it.)

  In general, it seems like the intent of DNAME is for the
left-hand-side to be a child domain of the current origin.  So if I am
<example.net>, I can have a DNAME for <foo.example.net.>, but not
<example.net.> itself.  But again, this doesn't seem to be explict.

  The closest I came to a contraindication was RFC-2672, Section 4.1,
Step 3.c (page 4), which states in part: "If at some label, a match is
impossible (i.e., the corresponding label does not exist), look to see
whether the last label matched has a DNAME record".  I'm thinking,
since we have to have other records (like SOA) defined for the zone
apex, the label exists and should be matched as such.  Thus, the DNAME
should never come into play.  But this is sufficiently off the beaten
path that I'm not sure.

  And who knows, maybe this *should* be allowed.  I can see
applications for the concept.  But the ideal world and this one
diverge, I've noticed.  :)

  Any thoughts or insights would be welcome.  If there's an FM I
should be R'ing, by all means, hit me over the head with it.  :)

-- Ben



More information about the dns-operations mailing list