Skip to content

GitLab

BIND
BIND
Closed
Opened by Roland Bracewell Shoemaker@rolandshoemaker
Report abuse New issue

Non-standard behavior when encountering single record alias loops

It appears BIND has non-standard (both RFC and ecosystem) behavior when encountering single record CNAME alias loop. When a loop in encountered BIND properly terminates the recursion logic but returns a non-error RCODE and the CNAME it encountered.

When I first saw this I thought the issue was with normal loops (i.e. loop-a.com -> loop-b.com -> loop-a.com) but BIND behaves correctly when encountering this (throwing a SERVFAIL), the issue is with a slightly more strange single record loop (loop-a.com -> loop-a.com). My initial assumption was there was some specific reason for doing this but I was unable to find one (albeit my search was rather brief so I may have missed something) and as far as I can tell none of the other major resolvers display this behavior.

Using the following zone here are my testing results from BIND, Unbound, PowerDNS, and Google's public resolver.

Zone:

loop.testing.bracewel.net. IN	CNAME	loop.testing.bracewel.net.

Results:

BIND 9.12.1:
$ dig a loop.testing.bracewel.net @localhost -p 8053

; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net.	IN	A

;; ANSWER SECTION:
loop.testing.bracewel.net. 0	IN	CNAME	loop.testing.bracewel.net.

;; Query time: 1492 msec
;; SERVER: 127.0.0.1#8053(127.0.0.1)
;; WHEN: Tue Mar 20 15:10:15 GMT 2018
;; MSG SIZE  rcvd: 68
Unbound 1.6.5:
$ dig a loop.testing.bracewel.net @localhost -p 8153

; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57714
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1252
;; QUESTION SECTION:
;loop.testing.bracewel.net.	IN	A

;; Query time: 477 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1)
;; WHEN: Tue Mar 20 15:35:54 GMT 2018
;; MSG SIZE  rcvd: 54
PowerDNS 4.1.1:
$ dig a loop.testing.bracewel.net @localhost -p 8253

; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net.	IN	A

;; ANSWER SECTION:
loop.testing.bracewel.net. 0	IN	CNAME	loop.testing.bracewel.net.

;; Query time: 168 msec
;; SERVER: 127.0.0.1#8253(127.0.0.1)
;; WHEN: Tue Mar 20 15:47:23 GMT 2018
;; MSG SIZE  rcvd: 68
Google:
$ dig a loop.testing.bracewel.net @8.8.8.8

; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;loop.testing.bracewel.net.	IN	A

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 20 15:11:36 GMT 2018
;; MSG SIZE  rcvd: 54
To upload designs, you'll need to enable LFS. More information