DNAME-DNAME loop generates ~17 length CNAME chain but a DNAME-CNAME loop terminates early
Summary
When there is a DNAME-DNAME
loop in the zone file, the BIND server generates 17 CNAMEs, but for a DNAME-CNAME
chain, the BIND server stops after one iteration. The DNAME-DNAME
loop behavior is also different from Knot and NSD.
BIND version used
BIND 9.11.3-1ubuntu1.13-Ubuntu (Extended Support Version) id:a375815
Steps to reproduce
Consider the following zone file:
campus.edu. | 500 SOA | ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300 |
campus.edu. | 500 NS | ns1.outside.edu. |
d.campus.edu. | 500 DNAME | f.d.campus.edu. |
For the query <a.f.d.campus.edu, A>
, the response returned by BIND was:
"opcode QUERY",
"rcode NOERROR",
"flags QR AA RA",
";QUESTION",
"a.f.d.campus.edu. IN A",
";ANSWER",
"d.campus.edu. 500 IN DNAME f.d.campus.edu.",
"a.f.d.campus.edu. 500 IN CNAME a.f.f.d.campus.edu.",
"a.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.d.campus.edu.",
"a.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
"a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu. 500 IN CNAME a.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.d.campus.edu.",
whereas the response from Knot and NSD was:
"opcode QUERY",
"rcode NOERROR",
"flags QR AA",
";QUESTION",
"a.f.d.campus.edu. IN A",
";ANSWER",
"d.campus.edu. 500 IN DNAME f.d.campus.edu.",
"a.f.d.campus.edu. 500 IN CNAME a.f.f.d.campus.edu.",
";AUTHORITY",
";ADDITIONAL"
NSD logs mention -- DNAME processing stopped due to loop, qname a.f.d.campus.edu.
Consider another zone file:
campus.edu. | 500 SOA | ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300 |
campus.edu. | 500 NS | ns1.outside.edu. |
d.campus.edu. | 500 DNAME | f.campus.edu. |
e.f.campus.edu. | 500 CNAME | e.d.campus.edu. |
The response from BIND, NSD, and Knot was:
"opcode QUERY",
"rcode NOERROR",
"flags QR AA RA",
";QUESTION",
"e.d.campus.edu. IN A",
";ANSWER",
"d.campus.edu. 500 IN DNAME f.campus.edu.",
"e.d.campus.edu. 500 IN CNAME e.f.campus.edu.",
"e.f.campus.edu. 500 IN CNAME e.d.campus.edu.",
";AUTHORITY",
";ADDITIONAL"
What is the current bug behavior?
BIND authoritative server goes on for an infinite (17) CNAME synthesis.
What is the expected correct behavior?
In the DNAME-CNAME
case, it is evident that after the second CNAME,
the new query is the same as the original one, so the implementations stop. For the DNAME-DNAME
case, it is harder to say which behavior (BIND or others) is the correct behavior as the zone file is not proper. I expected BIND also to stop after the first iteration in both cases.
(I looked in the repo for this issue and did not find it, so I am filing a new issue and please excuse me if it's a duplicate.)