Re: [Unbound-users] Does not cache DNAME ?

Wed, 23 Mar 2011 09:40:01 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

RFC1034 3.6, A zero TTL prohibits caching of the data.  The CNAME has a
0 TTL and therefore the message cannot be cached.

The DNAME RR is stored in the cache (since it has a TTL greater than
zero).  However, unbound will not synthesize from the DNAME unless it is
DNSSEC signed, to avoid spoof trouble.

Basically, unbound will trust the DNAME record only within the context
of the query for which the DNAME was asked.  But since the CNAME had TTL
0, this context is not stored.  If the CNAME had TTL equal to the TTL of
the DNAME, say, then unbound would cache, and return a DNAME and CNAME
message as you expect (for that qname).

On 03/23/2011 05:17 PM, Stephane Bortzmeyer wrote:
> When I query repeatedly a name which is covered by a DNAME, the TTL in
> the answer makes me thing Unbound does not cache it:
> 
> % dig -x 128.232.233.1
> ...
> 233.232.128.in-addr.arpa. 86400 IN      DNAME   
> 233.232.128.in-addr.arpa.cam.ac.uk.

Note:
1.233.232.128.in-addr.arpa. 0   IN      CNAME
1.233.232.128.in-addr.arpa.cam.ac.uk.

> 
> % dig -x 128.232.233.1
> ...
> 233.232.128.in-addr.arpa. 86400 IN      DNAME   
> 233.232.128.in-addr.arpa.cam.ac.uk.

Yes.

> While BIND has the expected behaviour:
> 
> % dig -x 128.232.233.1
> ...
> 233.232.128.in-addr.arpa. 86180 IN      DNAME   
> 233.232.128.in-addr.arpa.cam.ac.uk.
> 
> % dig -x 128.232.233.1
> ...
> 233.232.128.in-addr.arpa. 86168 IN      DNAME   
> 233.232.128.in-addr.arpa.cam.ac.uk.
> 
> Unbound 1.4.6

I see ARIN and RIPE offer signed reverse delegations, perhaps a good
reason to sign these zones :-)

Another solution is to deploy an authority server that gives TTL to the
synthesized CNAME equal to the TTL of the DNAME.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2KIasACgkQkDLqNwOhpPiSkQCeM7+N/tGH57bf8V9ToehQVt5V
M+wAn3SwXbYLku4auGMH2SJDN5/ZBl7B
=EmGB
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Reply via email to