From owner-freebsd-net@FreeBSD.ORG  Tue Sep 23 21:08:50 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F222E106567F
	for <freebsd-net@freebsd.org>; Tue, 23 Sep 2008 21:08:50 +0000 (UTC)
	(envelope-from 20080111.freebsd.org@ab.ote.we.lv)
Received: from purple.the-7.net (purple.the-7.net
	[IPv6:2001:470:1f01:622:230:48ff:fe23:4c67])
	by mx1.freebsd.org (Postfix) with ESMTP id BD7678FC13
	for <freebsd-net@freebsd.org>; Tue, 23 Sep 2008 21:08:50 +0000 (UTC)
	(envelope-from 20080111.freebsd.org@ab.ote.we.lv)
Received: from dhcp254.nttmcl.com ([IPv6:2001:418:200:0:21e:c2ff:fe1a:9b3c])
	by purple.the-7.net (8.14.3/8.14.3) with ESMTP id m8NL8iIu036991
	(version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-net@freebsd.org>; Tue, 23 Sep 2008 14:08:44 -0700 (PDT)
	(envelope-from 20080111.freebsd.org@ab.ote.we.lv)
Authentication-Results: purple.the-7.net; sender-id=none
	header.from=20080111.freebsd.org@ab.ote.we.lv;
	spf=none smtp.mfrom=20080111.freebsd.org@ab.ote.we.lv
Message-ID: <48D95AD7.2070604@ab.ote.we.lv>
Date: Tue, 23 Sep 2008 14:08:39 -0700
From: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
User-Agent: Thunderbird/3.0a2 (Macintosh; 2008072822)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.7 required=10.0 tests=FROM_STARTS_WITH_NUMS,
	NO_RELAYS autolearn=disabled version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on purple.the-7.net
Subject: Request for review - PR bin/127951: spurious warning against DNAME
 RRs
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2008 21:08:51 -0000

Greetings,

I just submitted a very simple PR/patch - 
http://www.freebsd.org/cgi/query-pr.cgi?pr=127591 - which fixes spurious 
but annoying warnings against DNAME RRs (annoying because they spam 
syslog at auth.notice level).

The patch should not cause any regression, because it just suppresses 
the warning without altering any other control flow, but I am not 
entirely sure if there is a valid case where DNAMEs should trigger a 
strong security warning just as they currently do.

Could someone please review and/or take care of this PR?

Cheers,
Eugene

P.S. A bit of background information, for those who are not familiar 
with the subject:

DNAME RRs, as defined in RFC 2672, provides a useful mechanism for 
mapping/aliasing an entire DNS tree.  For (a real) example, given a 
primary domain "the-7.net" and a number of secondary domains such as 
the-7.com, the-7.org, the-seven.net and so on, instead of having to add 
CNAMEs for "www", "mail" and other subdomains to every single secondary 
domain, one can simply add "IN DNAME the-7.net." to the zone apex of 
those secondary domains, and the DNS server will take care of all 
possible - current /and/ future - subdomains automatically, by returning 
a synthesized CNAME:

$ dig www.the-7.com IN A +noall +answer

; <<>> DiG 9.4.2-P1 <<>> www.the-7.com IN A +noall +answer
;; global options:  printcmd
the-7.com.              300     IN      DNAME   the-7.net.
www.the-7.com.          0       IN      CNAME   www.the-7.net.
www.the-7.net.          300     IN      CNAME   purple.the-7.net.
purple.the-7.net.       300     IN      A       64.71.156.34
$