[dns-operations] Gandi DNS server serving multiple CNAME record for a sigle entry.
Emmanuel Fusté
manu.fuste at gmail.com
Fri May 13 15:02:30 UTC 2022
Hello,
Gandi authoritative DNS servers are returning multiple CNAME records
for a single entry.
dig @ns-29-b.gandi.net +norecurse +dnssec CNAME lb.qual.flash-global.net
; <<>> DiG 9.18.2-1+ubuntu20.04.1+isc+3-Ubuntu <<>> @ns-29-b.gandi.net
+norecurse +dnssec CNAME lb.qual.flash-global.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16293
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;lb.qual.flash-global.net. IN CNAME
;; ANSWER SECTION:
lb.qual.flash-global.net. 10800 IN CNAME lb1.qual.flash-global.net.
lb.qual.flash-global.net. 10800 IN CNAME lb2.qual.flash-global.net.
lb.qual.flash-global.net. 10800 IN RRSIG CNAME 13 4 10800
20220526000000 20220505000000 57605 flash-global.net.
lLinFZUgXq8k823g0Ec/Q4vMysROQZWkimbTS7WDVE27TkzX6H2tyTFg
PzSF29et8UWW/AQ3tCqLeQRzUJEX1g==
;; Query time: 10 msec
;; SERVER: 213.167.230.30#53(ns-29-b.gandi.net) (UDP)
;; WHEN: Fri May 13 16:58:09 CEST 2022
;; MSG SIZE rcvd: 201
And this is not a corruption, their zone admin interface lets you
declare as much as you want CNAME records for a signe entry. Checked
no later than this morning.
Is there any dns-operation consensus about this behavior ?
Is there someone from Gandi on dns-operation who could explain if this
is an intended behavior on their side and for what purpose or a bug to
fix ?
Most of their clients/users think that because their interface allows
it, it is legit and serves the same purpose as multiple A records
(round robin).
Hopefully, on a A request only the first CNAME and always the same is
returned as part of the answer.
But things relying on CNAME requests break in many and sometimes subtle ways.
Thank you.
Emmanuel.
More information about the dns-operations
mailing list