[dns-operations] Any DNAME usage experience?
bsomers at opendns.com
Tue Mar 31 04:47:52 UTC 2020
I haven’t seen evidence of any nameservers that compress DNAMES, but TBH I don’t think it has ever really mattered in terms of breaking behaviour. For unsigned zones, the synthesized CNAME is the only thing the client cares about. The client that’s looking stuff up will only ever care about the CNAME (oh, I got a DNAME in my response… that’s nice <throws it on the ground>).
So I don’t think DNAME compression matters at all for unsigned zones.
As to why it needs to be canonicalized, I have no idea! As you say, RFC 2672 first mentioned DNAME and said it MUST NOT be compressed. I suspect RFC 3597 decided to include it because there was a "unless the sending server has some way of knowing that the receiver understands the DNAME record format” clause in that original RFC so the “safe option” was taken.
Of course once RFC 3597 said it should be uncompressed, RFC 4034 kind of needed to say it should be canonicalized before being validated.
Unfortunately this also extended to RRSIG! I’m guessing that, because RRSIG is essentially the same format as SIG and because SIG signers could be compressed, it was decided that RRSIG signers must be lowercased for validation. But this didn’t apply to NSEC (which itself is the same format as NXT which could also be compressed!).
Anyway, I digress!
One useful thing I could say (If you haven’t hit delete yet) is that I *HAVE* seen RRSIGs with compressed signers in the wild, so never assume that, just because RFCs say MUST NOT, you’ll never see these horrible things. It was also decided that we (Cisco/Umbrella) should allow this (although it’s behind an option that defaults to "not-a-chance") due to the fact that other well-known resolvers seem to allow it — probably because they use their old SIG parser to parse RRSIGs and don’t differentiate.
Sorry, I digress again.
> On Mar 30, 2020, at 8:46 AM, John Levine <johnl at taugh.com> wrote:
> In article <5A408169-12B7-4F39-A69B-20B6E1EF8ADA at opendns.com> you write:
>> A few interesting things about DNAMES:
>> * For unsigned zones, resolvers don’t have to do anything, but the DNAME itself can break
>> - The synthesized CNAME makes the resolver “just work”
>> - RFC 3597 section 7 says that resolvers MUST uncompress DNAMEs. If they don’t, they may serve corrupt RRs
>> So a nameserver that serves compressed DNAMEs must be “fixed” by the resolver.
> Have you seen any nameservers that compress DNAMEs? That would be a
> very strange bug since it was always forbidden.
> John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations