content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: ascii
Content-Length: 2840

Message from Steven Ngo

Full Name: Steven Ngo
Organization: Amazon Web Services
E-mail: ngosteve@amazon.com
Phone Number: 2405354571

Message
The following commit seems to break CNAME -> DNAME resolution:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=bd6f27f5c353133b563fe69100b2f168c129f3ca
Description of problem:  If you have a DNS record which is a CNAME pointing to a DNAME record, DNS resolution attempts through Redhat bind result in a servfail instead of returning the record when the cache expires.  
Expected Response:
[ec2-user@ip-100-64-1-194 ~]$ dig @8.8.8.8 abc4.test.stevenngo.me
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 <<>> @8.8.8.8 abc4.test.stevenngo.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45731
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;abc4.test.stevenngo.me.		IN	A
;; ANSWER SECTION:
abc4.test.stevenngo.me.	0	IN	CNAME	roy.osd.test.stevenngo.me.
osd.test.stevenngo.me.	0	IN	DNAME	test2.stevenngo.me.
roy.osd.test.stevenngo.me. 0	IN	CNAME	roy.test2.stevenngo.me.
roy.test2.stevenngo.me.	0	IN	A	12.12.12.12
;; Query time: 867 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Nov 30 17:24:39 2016
;; MSG SIZE  rcvd: 134
Actual Response:
[ec2-user@ip-100-64-1-194 ~]$ dig @localhost abc4.test.stevenngo.me
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 <<>> @localhost abc4.test.stevenngo.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;abc4.test.stevenngo.me.		IN	A
;; Query time: 893 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 30 17:23:34 2016
;; MSG SIZE  rcvd: 40
BIND configuration:
[ec2-user@ip-100-64-1-194 ~]$ cat /etc/named.conf
options {
	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.
	recursion yes;
	forwarders {
		8.8.8.8;
	};
	forward only;
	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	max-cache-ttl 6;
	max-ncache-ttl 6;
};

This email was sent from Contact ISC in ISC's Wordpress Page