DNS/DNAMEについて、ここに記述してください。
Contents
The DNAME RR has mnemonic DNAME and type code 39 (decimal). It is CLASS-insensitive.
DNAMEが作られたゾーンのNSレコードにどういう意味があるのだろう。
- glueと同様の意味しかない。まともなレコードは作れないのだから。
- サブドメインはすべてリダイレクトされるし。(ワイルドカードを含めて)
-- ToshinoriMaeno 2019-09-04 02:24:01
1. 探索の手順の変更
QNAMEにマッチする名前がない場合に、先頭のラベルを削って再度ゾーンを探索する。(ダメ)
- DNAMEレコードが見つかったら、...
qname minimisationとの整合性はあるのか。-- ToshinoriMaeno 2019-09-06 04:05:17
いや、それよりもDNAMEがなかったときの探索との整合性は?
https://tools.ietf.org/html/rfc6672
- DNAME Redirection in the DNS
Abstract
The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363). That is, all names that end with a particular suffix are redirected to another part of the DNS.
This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363).
2.2. The DNAME Substitution When following step 3 of the algorithm in RFC 1034 [RFC1034], Section 4.3.2, "start matching down, label by label, in the zone" and a node is found to own a DNAME resource record, a DNAME substitution occurs.
こういう手順で探索しているのですかね。
- DJBのlookupはそうではない。
The name being sought may be the original query name or a name that is the result of a CNAME resource record being followed or a previously encountered DNAME. As in the case when finding a CNAME resource record or NS resource record set, the processing of a DNAME will happen prior to finding the desired domain name.
A DNAME substitution is performed by replacing the suffix labels of the name being sought matching the owner name of the DNAME resource record with the string of labels in the RDATA field. The matching labels end with the root label in all cases. Only whole labels are replaced. See the table of examples for common cases and corner cases. In the table below, the QNAME refers to the query name. The owner is the DNAME owner domain name, and the target refers to the target of the DNAME record. The result is the resulting name after performing the DNAME substitution on the query name. "no match" means that the query did not match the DNAME, and thus no substitution is performed and a possible error message is returned (if no other result is possible). Thus, every line contains one example substitution. In the examples below, 'cyc' and 'shortloop' contain loops. QNAME owner DNAME target result ---------------- -------------- -------------- ----------------- com. example.com. example.net. <no match> example.com. example.com. example.net. [0] a.example.com. example.com. example.net. a.example.net. a.b.example.com. example.com. example.net. a.b.example.net. ab.example.com. b.example.com. example.net. <no match> foo.example.com. example.com. example.net. foo.example.net. a.x.example.com. x.example.com. example.net. a.example.net. a.example.com. example.com. y.example.net. a.y.example.net. cyc.example.com. example.com. example.com. cyc.example.com. cyc.example.com. example.com. c.example.com. cyc.c.example.com. shortloop.x.x. x. . shortloop.x. shortloop.x. x. . shortloop. [0] The result depends on the QTYPE. If the QTYPE = DNAME, then the result is "example.com.", else "<no match>". Table 1. DNAME Substitution Examples
<no match> は置換えを行わないということ。-- ToshinoriMaeno 2019-09-06 10:26:20
5.1. Canonical Hostnames Cannot Be below DNAME Owners
The names listed as target names of MX, NS, PTR, and SRV [RFC2782] records must be canonical hostnames. This means no CNAME or DNAME redirection may be present during DNS lookup of the address records for the host.
5.3. DNSSEC and DNAME どうなるのか。(署名)
6. Examples of DNAME Use in a Zone
8. Security Considerations
If a validating resolver accepts wildcarded DNAMEs, this creates
- security issues. Since the processing of a wildcarded DNAME is non- deterministic and the CNAME that was substituted by the server has no signature, the resolver may choose a different result than what the server meant, and consequently end up at the wrong destination. Use of wildcarded DNAMEs is discouraged in any case [RFC4592].