[dns-operations] Also any Microsoft CDN people here?

Ondřej Surý ondrej at sury.org
Thu Nov 27 11:41:03 UTC 2025 

Same invalid CNAME behavior can be observed at msedge.net:

; <<>> DiG 9.21.14 <<>> +norec -t A l-ring.msedge.net. @ns1.msedge.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19903
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;l-ring.msedge.net.             IN      A

;; ANSWER SECTION:
l-ring.msedge.net.      60      IN      CNAME   l-ring.l-9999.l-msedge.net.
l-ring.l-9999.l-msedge.net. 240 IN      CNAME   l-9999.l-msedge.net.
l-9999.l-msedge.net.    240     IN      A       13.107.42.254

;; Query time: 14 msec
;; SERVER: 204.79.197.1#53(ns1.msedge.net.) (UDP)
;; WHEN: Thu Nov 27 12:38:48 CET 2025
;; MSG SIZE  rcvd: 113

but

; <<>> DiG 9.21.14 <<>> +norec -t HTTPS l-ring.msedge.net. @ns1.msedge.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6454
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;l-ring.msedge.net.             IN      HTTPS

;; AUTHORITY SECTION:
msedge.net.             900     IN      SOA     ns1.msedge.net. msnhst.microsoft.com. 2016041201 1800 900 2419200 3600

;; Query time: 14 msec
;; SERVER: 204.79.197.1#53(ns1.msedge.net.) (UDP)
;; WHEN: Thu Nov 27 12:38:57 CET 2025
;; MSG SIZE  rcvd: 106

Ondrej
--
Ondřej Surý (He/Him)
ondrej at sury.org

> On 27. 11. 2025, at 12:34, Ondřej Surý <ondrej at sury.org> wrote:
> 
> Hey Joe,
> 
> found another case of CNAME weirdness.
> 
> CNAME returned for A query (or NS or any other type that exists at the target of the CNAME):
> 
> ; <<>> DiG 9.21.14 <<>> +norec in A www.berlin-city-tour.de. @lina.ns.cloudflare.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1239
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;www.berlin-city-tour.de.       IN      A
> 
> ;; ANSWER SECTION:
> www.berlin-city-tour.de. 60     IN      CNAME   berlin-city-tour.de.
> berlin-city-tour.de.    300     IN      A       167.71.36.225
> 
> ;; Query time: 17 msec
> ;; SERVER: 2606:4700:50::adf5:3abb#53(lina.ns.cloudflare.com.) (UDP)
> ;; WHEN: Thu Nov 27 12:27:02 CET 2025
> ;; MSG SIZE  rcvd: 82
> 
> CNAME not returned for NODATA answer:
> 
> ; <<>> DiG 9.21.14 <<>> +norec in AAAA www.berlin-city-tour.de. @lina.ns.cloudflare.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42854
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;www.berlin-city-tour.de.       IN      AAAA
> 
> ;; AUTHORITY SECTION:
> berlin-city-tour.de.    1800    IN      SOA     amit.ns.cloudflare.com. dns.cloudflare.com. 2389579513 10000 2400 604800 1800
> 
> ;; Query time: 17 msec
> ;; SERVER: 2606:4700:50::adf5:3abb#53(lina.ns.cloudflare.com.) (UDP)
> ;; WHEN: Thu Nov 27 12:27:33 CET 2025
> ;; MSG SIZE  rcvd: 114
> 
> I believe the CNAME has to be returned regardless of the target existence.
> 
> Cheers,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at sury.org
>

More information about the dns-operations mailing list