[dns-operations] Resolvers, DNSKEY queries and zone apex CNAMEs?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jan 23 21:43:48 UTC 2020


[ I think the issue merits some attention beyond just giving up.  Anyone
  else care to comment? ]

On Thu, Jan 23, 2020 at 01:53:52PM +0100, Vladimír Čunát wrote:

> apex CNAME is inherently incompatible with forwarding, as I see the
> standards *now*.

Sure, but Cloudflare and Verisign (modulo insufficient sample queries)
seem to handle it better than Google and Quad9, at least specifically
for DNSKEY queries.

For example, while I see no DNSKEY -> CNAME replies from these, at the
same time I do see CNAME replies when the qtype is changed to NS or SOA.

    - 1.0.0.1 / 1.1.1.1 / 64.6.64.6 / 64.6.65.6

    hypotheeklead.nl. IN CNAME prd.hypotheeklead.theinvited.nl. ; NoError AD=0
    hypotheeklead.nl. IN RRSIG CNAME 13 2 <...>; NoError AD=0
    prd.hypotheeklead.theinvited.nl. IN CNAME saturn.theinvited.nl. ; NoError AD=0
    theinvited.nl. IN SOA ns1.caveo.nl. <...>; AD=0

Fortunately, the glue records suffice for the former, and direct SOA
queries are not operationally essential except to slave servers polling
for updates, but here zone replication is presumably handled by other
means.

-- 
    Viktor.



More information about the dns-operations mailing list