[dns-operations] NS records pointing to names with CNAME records

Paul Vixie vixie at isc.org
Thu Jun 25 16:00:20 UTC 2009

> Date: Wed, 24 Jun 2009 14:56:13 -0700
> From: Matthew Dempsky <matthew at dempsky.org>
> Does anyone have any knowledge of how well currently deployed DNS
> caches handle NS records pointing to names with CNAME records?

pretty much does not work.  there are two places it would need to work,
one is in the additional section processing (when adding A/AAAA RRs to
the additional data section corresponding to the NS RRs in the authority
section), the other is in query forwarding (when deciding on a list of
name server addresses to which a query might be forwarded.)  the RFC's
do not mention following CNAME in these two cases; only in the case
where the QNAME matches an alias does the RFC offer guideance.  as a
result, i know of no implementation that follows CNAME in these two
cases.  in RFC 1034 section 3.6.2 (page 15) i see this text:

	Domain names in RRs which point at another name should always point
	at the primary name and not the alias.  This avoids extra
	indirections in accessing information.

> I know the relevant RFCs warn that zones should not be configured this
> way because older caches may have problems with them, but they also warn
> against CNAME chains (which are commonly used),

begging to differ, in RFC 1034 section 3.6.2 (page 15) i see this text:

		... CNAME chains should be followed and CNAME loops
	signalled as an error.

> and looking at my DNSTrust logs, I discovered a handful of zones
> configured this way, including one ccTLD (.mm).

i'd guess there's a lot of trash in a lot of syslog files as a result of
the .mm problem.

More information about the dns-operations mailing list