Re: [PATCH] MEDIUM: dns: Don't use the ANY query type

Tue, 20 Oct 2015 00:00:48 -0700 

Hey Willy,
Recursors are not required to recurse when serving an ANY query. ANY query means that you ask a server (either recursor or auth) for everything it has on label x. If it has a CNAME on that label just returning that is a valid response (just like would happen if you queried for the CNAME type at label x). However when you ask for an A or AAAA record a recursor is required to follow the CNAME. Welcome to the wonderful world of DNS which doesn't really make sense anymore to anyone ;). 


Like said in the other mailthread, ANY queries are just a very 
unreliable way to get the records/types you want. Just asking for the 
actual types, if necessary in multiple queries, is the way to go. DNS is 
(usually) fast enough that the one extra query really shouldn't matter 
that much.


-Robin-

On 10/20/2015 8:49 AM, Willy Tarreau wrote:

Hi Andrew,

On Mon, Oct 19, 2015 at 05:39:58PM -0500, Andrew Hayworth wrote:

The ANY query type is weird, and some resolvers don't 'do the legwork'
of resolving useful things like CNAMEs. Given that upstream resolver
behavior is not always under the control of the HAProxy administrator,
we should not use the ANY query type. Rather, we should use A or AAAA
according to either the explicit preferences of the operator, or the
implicit default (AAAA/IPv6).

But how does that fix the problem for you ? In your example below,
the server clearly doesn't provide any A nor AAAA in the response
so asking it for A or AAAA should not work either if it doesn't
recurse, am I wrong ?


   PRODUCTION! [email protected]:~$
   dig @10.11.12.53 ANY api.somestartup.io

   ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.11.12.53 ANY api.somestartup.io
   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62454
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

   ;; QUESTION SECTION:
   ;api.somestartup.io.                        IN      ANY

   ;; ANSWER SECTION:
   api.somestartup.io.         20      IN      CNAME 
api-somestartup-production.ap-southeast-2.elb.amazonaws.com.

(...)

I fear that such a change will prevent CNAMEs from working for many
users where the DNS servers work fine, and will not necessarily fix
the problems for other people.

Regards,
willy



























					Reply via email to