[dns-operations] Curious use of cname

Mark Andrews marka at isc.org
Wed Aug 6 21:51:53 UTC 2014

In message <20140806191927.GT37544 at mx1.yitter.info>, Andrew Sullivan writes:
> On Wed, Aug 06, 2014 at 02:15:15PM -0400, John Wobus wrote:
> > From everything I know, this is wrong 
> Yep.
> > and it's apparently making our
> > nameservers give inconsistent results.
> Doubtless.
> > What nameserver allows this
> Several, every one of which apparently has to re-learn this.

Those with developers that don't read RFC 1034 which tried to prevent
this from happening.

The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.


   3. Start matching down, label by label, in the zone.  The
      matching process can terminate several ways:

         a. If the whole of QNAME is matched, we have found the

            If the data at the node is a CNAME, and QTYPE doesn't
            match CNAME, copy the CNAME RR into the answer section
            of the response, change QNAME to the canonical name in
            the CNAME RR, and go back to step 1.

            Otherwise, copy all RRs which match QTYPE into the
            answer section and go to step 6.

This is a singular CNAME ("copy the CNAME") record without any other
data present at the node ("the data at the node is a CNAME").  Now
DNSSEC relaxes this slightly to allow RRSIG and KEY to co-exist
with a (singular) CNAME record.

> > and what might they be attempting to accomplish?
> They're probably trying to send their "bare domain" (e.g. example.com)
> off to a CDN using a CNAME.
> Best regards,
> A
> -- 
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list