Problem with recursively resolving AAAA records from CNAMES

Sam Trenholme strenholme.usenet at gmail.com
Mon Jun 16 11:28:43 EDT 2008


I know this issue has come up before; this is one of those issues I'm
not going to fix because I'm completely rewriting the recursive
resolver.  Basically, the CNAME code in MaraDNS 1's recursive resolver
is a bit of a hack.  Well, maybe "a bit" is an understatement.

The real solution is a complete rewrite.  I stopped doing the rewrite
for six months because I took a break from MaraDNS; I just continued
the rewrite yesterday.  Right now, the new code is a usable
caching-only nameserver.  In other words, you need to use your ISP's
nameserver or MaraDNS 1 (or BIND or powerdns or dnscahe or pdnsd
or...) to resolve the DNS queries, but the nameserver will remember
the responses of the upstream nameserver.

The new cache is a lot cleaner in terms of the code, doesn't use
threads (yay!), and has some features MaraDNS doesn't have, such as
the ability to read and write the cache to disk, and the ability to
retrieve expired records from the cache if it's impossible to contact
the upstream (ISP's) DNS servers.

I just fixed the issue with reading and writing the cache to disk
yesterday; I will upload this file later on today.

GROUCHY DISCLAIMER:

I'm a mean, grouchy, and nasty developer.  I *hate* getting private
email with MaraDNS support questions.  This includes non-security
bugfixes.  I'm not technical support; sorry guys.

If you send me a MaraDNS-related support question, I reserve the right
to post your support email to the Mara-DNS mailing list so that the
community at large can examine your issue. MaraDNS security
vulnerability reports, however, will be kept confidential.

2008/6/16 Teran McKinney <sega01 at gmail.com>:
> Hi,
>
> I had heard about MaraDNS from a friend and wanted to implement a
> recursive DNS server for my LAN. MaraDNS looked quite nice, so I
> decided to give it a try. I recently migrated from DD-WRT to OpenWRT,
> and used its 1.2.12.06 MaraDNS package. Everything worked perfectly,
> except I started to notice that I did not connect over IPv6 to some
> IPv6-enabled sites. Digging a little deeper, I found that only sites
> that used CNAMEs pointing to records with AAAA records were the
> culrpit.
>
> For example:
> sega01[~]$ dig ipv6.google.com aaaa
>
> ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4801
> ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ipv6.google.com.               IN      AAAA
>
> ;; ANSWER SECTION:
> ipv6.google.com.        900     IN      CNAME   ipv6.l.google.com.
>
> ;; Query time: 221 msec
> ;; SERVER: 192.168.8.1#53(192.168.8.1)
> ;; WHEN: Mon Jun 16 11:11:00 2008
> ;; MSG SIZE  rcvd: 54
>
> However, it appears that MaraDNS does not recursively resolve the
> CNAME's target for AAAA records.
>
> OpenDNS returns the following:
>
> sega01[~]$ dig ipv6.google.com aaaa @208.67.222.222
>
> ; <<>> DiG 9.4.2 <<>> ipv6.google.com aaaa @208.67.222.222
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59569
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ipv6.google.com.               IN      AAAA
>
> ;; ANSWER SECTION:
> ipv6.google.com.        9753    IN      CNAME   ipv6.l.google.com.
> ipv6.l.google.com.      300     IN      AAAA    2001:4860:0:2001::68
>
> ;; Query time: 50 msec
> ;; SERVER: 208.67.222.222#53(208.67.222.222)
> ;; WHEN: Mon Jun 16 11:12:44 2008
> ;; MSG SIZE  rcvd: 82
>
> There is no issue with MaraDNS using CNAMEs and A records, but AAAA
> records individually work fine. I have also tested this on 1.3.11 with
> the same results. Some other users on #ipv6 reported the same issues
> with MaraDNS after I asked about this.
>
> Any ideas?
>
> Thanks,
> Teran McKinney (sega01)
>


More information about the list mailing list