On Sat, 20 Aug 2005, Frank Ellermann wrote:
I'm still surprised that Stuart apparently works at a level,
where it's his decision to handle CNAME at all, and how. The
code doing this should be the same for all applications on top
of DNS, not only SPF / TXT, also DKIM, MX, A, whatever. But
there's an excellent chance that I just didn't get the problem.
I am not alone. Other software (open source where I can look at it)
that needs to look up something besides A/PTR records (e.g. sendmail)
or that needs to do multiple queries in parallel (e.g. squid) deal
with the resolv.h level (or lower). The DNS servers will follow the CNAME as
far as they can, and include the chain in the response packet.
Squid just skips over CNAME records, looking for A records in
a response packet. If it doesn't find it, it throws an error. This
effectively limits the CNAME chain to what will fit in a packet.
There is no inherent limit imposed by the DNS architecture. When it
gets to the end of a chain in a packet, a client can keep issuring new
queries to follow the chain further. I don't like the "fits in one
UDP packet" approach of squid, because I can imagine legitimate
uses for long domains, and just a few of those could fill up a packet.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.