[dns-operations] Adding CNAME for the root domain issue

Andrew Sullivan ajs at anvilwalrusden.com
Wed Apr 27 17:59:36 UTC 2016


On Wed, Apr 27, 2016 at 09:29:49AM -0700, Matthew Pounsett wrote:
> specification says it can't.   And the reason it says it can't is because
> having a CNAME and any other data is ambiguous.  This paragraph presents it
> as if the rule is just arbitrary, and has no real justification.

I don't think it's ambiguous at all.  I think it's by definition impossible.

The semantics of "CNAME" are, "the owner name is actually this other
name".  Therefore, to have any other data at the CNAME would be
absurd.  We sort of wave our hands at this with RRSIGs, because of the
way that the DNS control plane and data plane are intermingled.  But
the basic problem is the very meaning of CNAME and the definition of
an apex (which, of course, requires an SOA).

This is a subtle point about CNAME, though, and very few people seem
to understand it.  I think it's because people don't look at the DNS
in itself, and really think it's just the way to connect to A/AAAA
records.  If you look at things that way, naturally, the subtleties of
CNAME are annoying.  Another use for the DWIM RRTYPE!

Getting the use cases right in general for this sort of alias record
is tricky.  It's taken Dyn several years finally to agree on exactly
the right way to do it -- we had a couple earlier designs that didn't
make the cut because we were unhappy with some of the side effects.
(The final version is now available, although I believe it's been a
soft launch.)

By the way, the "root of the zone" thing is all over the DNS industry.
Rooting that out (ha!) at one employer may have been my most useful
contribution.  

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list