[dns-operations] DNAME with LHS matching zone apex

Andrew Sullivan ajs at anvilwalrusden.com
Mon Feb 13 21:41:47 UTC 2012 

On Mon, Feb 13, 2012 at 03:57:56PM -0500, Ben Scott wrote:

>   Anyway, the guy wants to make it so that queries for
> <www.google.com.> return the records for <nosslsearch.google.com.>.

> 	www.google.com.     SOA     dc1.example.com. ...
> 	www.google.com.     NS      dc1.example.com.
> 	www.google.com.     NS      dc2.example.com.
> 	www.google.com.     DNAME   nosslsearch.google.com.
> 
>   He claims this appears to work, in his testing.  He says he's
> running Microsoft Windows Server 2008 R2 for the server, and that his
> clients are varied (at least Win, Mac, and iOS), but mostly Win 7.

If that works for him, then Windows Server 2008 isn't doing DNAME.
DNAME does _not_ redirect the name itself.  It only redirects
children.

Given the fragment you sent, www.google.com shouldn't go anywhere.
However, www.www.google.com would go to www.nosslsearch.google.com.

If that were a CNAME instead, it should work.  Of course, the buddy is
hijacking a domain for which he is not authoritative, and if anybody
does DNSSEC checking on this it will immediately fail.  But I don't
imagine anyone who's had this particular inspiration from the Bad Idea
Fairy would care about that.

>   In general, it seems like the intent of DNAME is for the
> left-hand-side to be a child domain of the current origin.  So if I am
> <example.net>, I can have a DNAME for <foo.example.net.>, but not
> <example.net.> itself.  But again, this doesn't seem to be explict.

You're quite right.  And it is explicit in the DNAME substitution
algorithm, but see
http://tools.ietf.org/html/draft-ietf-dnsext-rfc2672bis-dname-25 to
see if it's clearer.  (That document is hung up in the IESG for
reasons I haven't been able to learn, but it should be coming out
soon.)

>   And who knows, maybe this *should* be allowed.  I can see
> applications for the concept.  But the ideal world and this one
> diverge, I've noticed.  :)

There are many people who would _like_ DNAME to work like CNAME+DNAME,
and in fact there have been proposals for this (see, e.g.,
http://tools.ietf.org/html/draft-sury-dnsext-cname-dname-00 and
http://tools.ietf.org/html/draft-yao-dnsext-bname-05).  They've all
foundered so far.

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list