How not to set up your DNS (part 16)

Sort of presented in the traditional illustrated format:

; sdig ns ibc.com.au.
ns1.ibc.com.au.
ns2.ibc.com.au.
; dig cname ibc.com.au. @ns1.ibc.com.au.
[...]
;; flags: qr aa; QUERY: 1, ANSWER: 1, [...]
[...]
;; ANSWER SECTION:
ibc.com.au. IN SOA ns1.ibc.com.au. \
             hostmaster.localdomain. [....]

(The TTL has been omitted and the line wrapped for clarity.)

This is not how you are supposed to say 'I do not have a CNAME record'. What ibc.com.au should be doing is returning a reply with nothing in the 'answer' section and their SOA record in the 'additional authority' section.

The net result of this issue is that a number of resolving nameservers will return SERVFAIL when asked to see if ibc.com.au is a CNAME, which has various interesting downstream consequences.

(Technically the com.au zone says that ibc.com.au has two other nameservers, however a) ibc.com.au disagrees, since the extras are not in the NS records that the first two return and b) the extra two are non-authoritative anyways.)

(3 comments.)

These are my WanderingThoughts
(About the blog)

GettingAround
Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.

* * *

Atom feeds are available; see the bottom of most pages.

This is a DWiki.
(Help)

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

Search:
Written on 09 July 2007.
(Previous | Next)
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Mon Jul 9 15:56:42 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.