[dns-operations] Gandi DNS server serving multiple CNAME record for a sigle entry.

[Emmanuel Fusté]

Hello,

Gandi authoritative DNS servers are returning multiple CNAME records
for a single entry.
dig  @ns-29-b.gandi.net +norecurse +dnssec CNAME lb.qual.flash-global.net

; <<>> DiG 9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> @ns-29-b.gandi.net
+norecurse +dnssec CNAME lb.qual.flash-global.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16293
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;lb.qual.flash-global.net.      IN      CNAME

;; ANSWER SECTION:
lb.qual.flash-global.net. 10800 IN      CNAME   lb1.qual.flash-global.net.
lb.qual.flash-global.net. 10800 IN      CNAME   lb2.qual.flash-global.net.
lb.qual.flash-global.net. 10800 IN      RRSIG   CNAME 13 4 10800
20220526000000 20220505000000 57605 flash-global.net.
lLinFZUgXq8k823g0Ec/Q4vMysROQZWkimbTS7WDVE27TkzX6H2tyTFg
PzSF29et8UWW/AQ3tCqLeQRzUJEX1g==

;; Query time: 10 msec
;; SERVER: 213.167.230.30#53(ns-29-b.gandi.net) (UDP)
;; WHEN: Fri May 13 16:58:09 CEST 2022
;; MSG SIZE  rcvd: 201

And this is not a corruption, their zone admin interface lets you
declare as much as you want CNAME records for a signe entry. Checked
no later than this morning.

Is there any dns-operation consensus about this behavior ?
Is there someone from Gandi on dns-operation who could explain if this
is an intended behavior on their side and for what purpose or a bug to
fix ?

Most of their clients/users think that because their interface allows
it, it is legit and serves the same purpose as multiple A records
(round robin).
Hopefully, on a A request only the first CNAME and always the same is
returned as part of the answer.
But things relying on CNAME requests break in many and sometimes subtle ways.

Thank you.
Emmanuel.