[dns-operations] NS records pointing to names with CNAME records

George Barwood george.barwood at blueyonder.co.uk
Thu Jun 25 17:22:24 UTC 2009

----- Original Message ----- 
From: "Paul Vixie" <vixie at isc.org>
To: "Matthew Dempsky" <matthew at dempsky.org>
Cc: <dns-operations at lists.dns-oarc.net>
Sent: Thursday, June 25, 2009 5:00 PM
Subject: Re: [dns-operations] NS records pointing to names with CNAME records

>> Date: Wed, 24 Jun 2009 14:56:13 -0700
>> From: Matthew Dempsky <matthew at dempsky.org>
>> Does anyone have any knowledge of how well currently deployed DNS
>> caches handle NS records pointing to names with CNAME records?
> pretty much does not work.  there are two places it would need to work,
> one is in the additional section processing (when adding A/AAAA RRs to
> the additional data section corresponding to the NS RRs in the authority
> section), the other is in query forwarding (when deciding on a list of
> name server addresses to which a query might be forwarded.)  

Right. I think Matthew is probably only interested in the second of these,
specifically the internal resolution of nameserver names to A/AAA records.

> the RFC's
> do not mention following CNAME in these two cases; only in the case
> where the QNAME matches an alias does the RFC offer guideance.  as a
> result, i know of no implementation that follows CNAME in these two
> cases.  in RFC 1034 section 3.6.2 (page 15) i see this text:
> Domain names in RRs which point at another name should always point
> at the primary name and not the alias.  This avoids extra
> indirections in accessing information.

Right, but there is a sense that they shold be avoided purely for reasons of efficiency. 

The next section seems to me to be  the critical one though:

"Of course, by the robustness principle, domain software should not fail when presented with CNAME
chains or loops; CNAME chains should be followed and CNAME loops signalled as an error."

This means a "robust" name server should follow CNAME chains, and indeed this is very common,
you cannot resolve www.google.com without lots of this.

The internal case, where a name server is performing internal name resolution might be expected
to work as well, even though the RFC does not discuss it.

I think it is the case that early versions of BIND did not work, but that seems to have been over 10 years ago.

Whether there are any current resolvers that don't follow CNAMES when resolving name server
names to A/AAAA records seems to be an open question.

More information about the dns-operations mailing list