mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-04-09 10:47:34 +00:00
e6a4a329b8
Basically, it's ill-defined and shouldn't really be used going forward. We can't guarantee that resolvers will do the 'legwork' for us and actually resolve CNAMES when we request the ANY query-type. Case in point (obfuscated, clearly): PRODUCTION! ahayworth@secret-hostname.com:~$ dig @10.11.12.53 ANY api.somestartup.io ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.11.12.53 ANY api.somestartup.io ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62454 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;api.somestartup.io. IN ANY ;; ANSWER SECTION: api.somestartup.io. 20 IN CNAME api-somestartup-production.ap-southeast-2.elb.amazonaws.com. ;; AUTHORITY SECTION: somestartup.io. 166687 IN NS ns-1254.awsdns-28.org. somestartup.io. 166687 IN NS ns-1884.awsdns-43.co.uk. somestartup.io. 166687 IN NS ns-440.awsdns-55.com. somestartup.io. 166687 IN NS ns-577.awsdns-08.net. ;; Query time: 1 msec ;; SERVER: 10.11.12.53#53(10.11.12.53) ;; WHEN: Mon Oct 19 22:02:29 2015 ;; MSG SIZE rcvd: 242 HAProxy can't handle that response correctly. Rather than try to build in support for resolving CNAMEs presented without an A record in an answer section (which may be a valid improvement further on), this change just skips ANY record types altogether. A and AAAA are much more well-defined and predictable. Notably, this commit preserves the implicit "Prefer IPV6 behavior." Furthermore, ANY query type by default is a bad idea: (from Robin on HAProxy's ML): Using ANY queries for this kind of stuff is considered by most people to be a bad practice since besides all the things you named it can lead to incomplete responses. Basically a resolver is allowed to just return whatever it has in cache when it receives an ANY query instead of actually doing an ANY query at the authoritative nameserver. Thus if it only received queries for an A record before you do an ANY query you will not get an AAAA record even if it is actually available since the resolver doesn't have it in its cache. Even worse if before it only got MX queries, you won't get either A or AAAA |
||
|---|---|---|
| .. | ||
| acl.h | ||
| action.h | ||
| applet.h | ||
| arg.h | ||
| auth.h | ||
| backend.h | ||
| capture.h | ||
| channel.h | ||
| checks.h | ||
| compression.h | ||
| connection.h | ||
| counters.h | ||
| dns.h | ||
| fd.h | ||
| freq_ctr.h | ||
| global.h | ||
| hdr_idx.h | ||
| hlua.h | ||
| lb_chash.h | ||
| lb_fas.h | ||
| lb_fwlc.h | ||
| lb_fwrr.h | ||
| lb_map.h | ||
| listener.h | ||
| log.h | ||
| mailers.h | ||
| map.h | ||
| obj_type.h | ||
| pattern.h | ||
| peers.h | ||
| pipe.h | ||
| port_range.h | ||
| proto_http.h | ||
| proto_udp.h | ||
| protocol.h | ||
| proxy.h | ||
| queue.h | ||
| sample.h | ||
| server.h | ||
| session.h | ||
| signal.h | ||
| ssl_sock.h | ||
| stick_table.h | ||
| stream_interface.h | ||
| stream.h | ||
| task.h | ||
| template.h | ||
| vars.h | ||