-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Luo Ce,
The solution we would like to implement is that the CNAME is not followed for qtype ANY. (and fix DNSSEC-validation of such responses). Because it is RFC-conformant and short. Is this OK, or does this create problems; for aliasing perhaps? Is there some specific result you need to get from ANY queries to DNAME and CNAME aliases? It would be good to support aliases. Or is this bug report not because of aliasing but an error found in the lab? Best regards, Wouter On 07/11/2011 11:14 AM, W.C.A. Wijngaards wrote: > Hi, > > Yes, unbound continues processing and follows the CNAME, also for qtype > ANY. It fetches the qtype ANY at the CNAME destination for the client. > > Best regards, > Wouter > > On 07/11/2011 02:59 AM, Luo Ce wrote: >> Not only www.google.com, I tried www.sohu.com <http://www.sohu.com> and >> www.yahoo.com <http://www.yahoo.com>, the results unbound gave me all >> include the A records. > >> So the problem may not be the authoritative server, it looks like >> unbound continue to process the cname response and get the final A records. > > > >> ; <<>> DiG 9.7.3-P1 <<>> @localhost www.sohu.com any > >> ; (1 server found) > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55095 > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3 > > > >> ;; QUESTION SECTION: > >> ;www.sohu.com. IN ANY > > > >> ;; ANSWER SECTION: > >> www.sohu.com. 600 IN CNAME d7.a.sohu.com. > >> d7.a.sohu.com. 300 IN CNAME frontend-tc7.a.sohu.com. > >> frontend-tc7.a.sohu.com. 300 IN A 61.135.181.169 > >> frontend-tc7.a.sohu.com. 300 IN A 61.135.181.171 > >> frontend-tc7.a.sohu.com. 300 IN A 61.135.181.167 > > > >> ;; AUTHORITY SECTION: > >> a.sohu.com. 3600 IN NS y.a.sohu.com. > >> a.sohu.com. 3600 IN NS x.a.sohu.com. > >> a.sohu.com. 3600 IN NS z.a.sohu.com. > > > >> ;; ADDITIONAL SECTION: > >> x.a.sohu.com. 7200 IN A 121.14.0.42 > >> y.a.sohu.com. 7200 IN A 220.181.26.169 > >> z.a.sohu.com. 7200 IN A 61.135.179.168 > > > >> ; <<>> DiG 9.7.3-P1 <<>> @localhost www.yahoo.com any > >> ; (1 server found) > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24745 > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 > > > >> ;; QUESTION SECTION: > >> ;www.yahoo.com. IN ANY > > > >> ;; ANSWER SECTION: > >> www.yahoo.com. 300 IN CNAME fp.wg1.b.yahoo.com. > >> fp.wg1.b.yahoo.com. 60 IN CNAME any-fp.wa1.b.yahoo.com. > >> any-fp.wa1.b.yahoo.com. 60 IN A 98.137.149.56 > >> any-fp.wa1.b.yahoo.com. 60 IN A 72.30.2.43 > > > >> *From:*Blacka, David [mailto:[email protected]] >> *Sent:* Friday, July 08, 2011 8:25 PM >> *To:* Luo Ce >> *Cc:* <[email protected]> >> *Subject:* Re: [Unbound-users] Question about qtype=any > > > > > >> On Jul 7, 2011, at 9:30 PM, Luo Ce wrote: > > > >> Hi all, > > > >> When I use unbound and send a query with qtype = any > >> dig @localhost www.google.com <http://www.google.com> any > >> unbound returns me the following results: > >> ; (1 server found) > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11161 > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0 > > > >> ;; QUESTION SECTION: > >> ;www.google.com. IN ANY > > > >> ;; ANSWER SECTION: > >> www.google.com <http://www.google.com>. 604800 IN >> CNAME www.l.google.com <http://www.l.google.com>. > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.147 > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.99 > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.106 > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.105 > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.103 > >> www.l.google.com <http://www.l.google.com>. 300 IN >> A 74.125.71.104 > > > >> I just want to know whether the A records are needed for the qtype any, >> cos when I send the same query to bind, it only returns me the cname answer. > > > >> I believe what is happening here is that unbound is returning what the >> authoritative server returns for 'www.google.com/ANY', while BIND is >> reconstructing the answer (that is, looking at its cache and returning >> all RRsets that match the qname). > > > >> So, maybe a better question is: why does google's authoritative >> nameservers return the A records with qtype=ANY? > > > >> -- >> David Blacka <[email protected] >> <mailto:[email protected]>> >> Principal Engineer Verisign Infrastructure Engineering > > > > > >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOHDllAAoJEJ9vHC1+BF+NY6kP/jpqmR7qRi0yLYF4eQQV8Dch 2/ELPIQIoKQrlX3OHx83dBteLuE4xDL+ZIl1t7W6JEOlUX5popHuSrNUC9W1FGUq fRCys0aBMZvRlW7UtuHCN+6cLOCnURRfj9sG/MTcDDWGs5iKWiac1WIUFwukJ0Rf WKvRg67UHWtT0+l2q5thtCj8ixDCQmUJ9bnwTeu6gXF0yD231UPTRSULaZcWl1W1 z9fIe/1xsNou2L5Kg3zYqbpZ4GGSDO9G6tpmaVlA50dzROGg6dUly54yFygia98O V+Gg6rJwa58VIys/FFjmXRUuzQ2JLhtTdBccOqdiZnMh5CSJ21lQxfqVXxvCoyNW F9nFlmzdlP3xz6CdZxsuYVYbP0fJdWm1d2V8DNzV6Z7YDRVsftkccIdzrSJY2Ns6 a8rDE0pU1BPdt9AYm1QdmzzGoV7kuikUWEkHHGHTKMJDimFSpMfGTEjoio716hST syeUvo8QJzzYbUPxjT3857XDL0xfodDENZiuLMSx/sAKna30JHl02hYagz4bmuSo 514Xpqf/Robfu9d3PdVZ5m38umXmlc26eMp1bdSFo9vw0MCbYEnXdeZy0Q39FQBB vOmgGeNrFvd9F1A5CS13HNis3y0nxvGE9fyfQDcIEya/90xLQwNwOq4mhixhHwhh W151xJ73SCB8fRyuRWXf =pNMf -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
