[dns-operations] A lot of CNAME queries for domain ?

Casey Deccio casey at deccio.net
Thu Jul 5 17:45:36 UTC 2012

On Thu, Jul 5, 2012 at 10:23 AM, Tony Finch <dot at dotat.at> wrote:

> Most of the CNAME queries in my logs are from dnsviz2.ca.sandia.gov.

Yup, that's me.  DNSViz sends queries for the name at the zone apex with
type CNAME to test for proper handling of NOERROR responses with an empty
answer section.  Because the name exists and a CNAME shouldn't (but I do
find some where it does...), I almost always get the type of response I'm
looking for.

Among the errors we saw early on with DNSSEC deployment were the lack of
NSEC(3) RRsets were not properly returned with negative responses and the
lack of RRSIGs covering such RRsets that were returned--even when RRSIGs
covered other RRsets (e.g., SOA) in responses from the same server.
 Sometimes the behavior differed depending on whether the response was
NXDOMAIN or NOERROR with empty answer section.

> But I don't have what I'd call a lot of them.
I wouldn't expect so.  Domains aren't polled more than every few hours, and
each poll would result in a since CNAME query at the zone apex per
authoritative server address.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120705/c381e545/attachment.html>

More information about the dns-operations mailing list