[dns-operations] Cloudflare people here ? Problematic records served from a Cloudflare hosted zone.
Emmanuel Fusté
manu.fuste at gmail.com
Fri Nov 21 14:18:40 UTC 2025
Le 21/11/2025 à 12:39, Viktor Dukhovni a écrit :
> On Fri, Nov 21, 2025 at 12:17:45PM +0100, Winfried via dns-operations wrote:
>
>>>>> multiple possible CNAME values for a same record leading to
>>>>> possible resolver's cache pollution.
>>>>> As the way to get one value or another is trivial, the way to
>>>>> control the resolver cached value is trivial too.
>> Please keep us informed if this case could cause problems for other resolver
>> operators as well or is otherwise relevant to them.
> What isn't clear from the original report is whether:
>
> 1. A single query response returns multiple CNAME records, or,
>
> 2. Several separate queries (possibly in quick succession) return
> different CNAMEs for the same qname.
>
> Of these, only "1" is a problem. There is nothing wrong with "2",
> rapidly changing CNAMEs for the same qname are to be expected, DNS data
> is not necessarily constant, or consistent across all authoritative
> servers, ...
>
> So which is it?
>
Hi Viktor,
It is not 1. , a case reported few years ago on Gandi autoritatives
servers and which they fixed.
It is not 2. : the response is perfectly stable at the authoritative
level for a fixed query type but different for two different query type
(like MX vs A for example), hence the "cache pollution" possibility
whichever is the "expected correct value" from the user point of view.
(there is no high level functional equivalence between the two served
values).
It seems to be a very specific convoluted corner case, involving
interactions between multiple advanced Cloudflare features as Joe seems
to agree.
Emmanuel.
More information about the dns-operations
mailing list