content-type: text/html; charset="utf-8"
X-RT-Original-Encoding: ascii
Content-Length: 3371

<h3>Message from Steven Ngo</h3>
<ul>
<li>Full Name: Steven Ngo</li>
<li>Organization: Amazon Web Services</li>
<li>E-mail: ngosteve@amazon.com</li>
<li>Phone Number: 2405354571</li>
<ul>
<h4>Message</h4>
<p>The following commit seems to break CNAME -&gt; DNAME resolution:<br />
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=bd6f27f5c353133b563fe69100b2f168c129f3ca</p>
<p>Description of problem:  If you have a DNS record which is a CNAME pointing to a DNAME record, DNS resolution attempts through Redhat bind result in a servfail instead of returning the record when the cache expires.  </p>
<p>Expected Response:<br />
[ec2-user@ip-100-64-1-194 ~]$ dig @8.8.8.8 abc4.test.stevenngo.me</p>
<p>; &lt;&lt;&gt;&gt; DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 &lt;&lt;&gt;&gt; @8.8.8.8 abc4.test.stevenngo.me<br />
; (1 server found)<br />
;; global options: +cmd<br />
;; Got answer:<br />
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 45731<br />
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0</p>
<p>;; QUESTION SECTION:<br />
;abc4.test.stevenngo.me.		IN	A</p>
<p>;; ANSWER SECTION:<br />
abc4.test.stevenngo.me.	0	IN	CNAME	roy.osd.test.stevenngo.me.<br />
osd.test.stevenngo.me.	0	IN	DNAME	test2.stevenngo.me.<br />
roy.osd.test.stevenngo.me. 0	IN	CNAME	roy.test2.stevenngo.me.<br />
roy.test2.stevenngo.me.	0	IN	A	12.12.12.12</p>
<p>;; Query time: 867 msec<br />
;; SERVER: 8.8.8.8#53(8.8.8.8)<br />
;; WHEN: Wed Nov 30 17:24:39 2016<br />
;; MSG SIZE  rcvd: 134</p>
<p>Actual Response:<br />
[ec2-user@ip-100-64-1-194 ~]$ dig @localhost abc4.test.stevenngo.me</p>
<p>; &lt;&lt;&gt;&gt; DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 &lt;&lt;&gt;&gt; @localhost abc4.test.stevenngo.me<br />
; (1 server found)<br />
;; global options: +cmd<br />
;; Got answer:<br />
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL, id: 2378<br />
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0</p>
<p>;; QUESTION SECTION:<br />
;abc4.test.stevenngo.me.		IN	A</p>
<p>;; Query time: 893 msec<br />
;; SERVER: 127.0.0.1#53(127.0.0.1)<br />
;; WHEN: Wed Nov 30 17:23:34 2016<br />
;; MSG SIZE  rcvd: 40</p>
<p>BIND configuration:<br />
[ec2-user@ip-100-64-1-194 ~]$ cat /etc/named.conf<br />
options {</p>
<p>	// If there is a firewall between you and nameservers you want<br />
	// to talk to, you may need to fix the firewall to allow multiple<br />
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113</p>
<p>	// If your ISP provided one or more IP addresses for stable<br />
	// nameservers, you probably want to use them as forwarders.<br />
	// Uncomment the following block, and insert the addresses replacing<br />
	// the all-0&#039;s placeholder.</p>
<p>	recursion yes;<br />
	forwarders {<br />
		8.8.8.8;<br />
	};<br />
	forward only;</p>
<p>	//========================================================================<br />
	// If BIND logs error messages about the root key being expired,<br />
	// you will need to update your keys.  See https://www.isc.org/bind-keys<br />
	//========================================================================</p>
<p>	auth-nxdomain no;    # conform to RFC1035<br />
	listen-on-v6 { any; };<br />
	max-cache-ttl 6;<br />
	max-ncache-ttl 6;<br />
};</p>
<hr>
<p>This email was sent from Contact ISC in ISC's Wordpress Page</p>