[dns-operations] Also any Microsoft CDN people here?

Ondřej Surý ondrej at sury.org
Thu Nov 27 16:12:04 UTC 2025 

> On 27. 11. 2025, at 16:37, Gavin McCullagh <gmccullagh at gmail.com> wrote:
> 
> Is it causing some issue for resolvers?

A DNS resolver that follows the DNS standard could take a proof of nonexistence
for AAAA record to also use this as a proof that the CNAME also does not exists.

Similarly, what should standards compliant resolver do if it receives following:

;; ANSWER SECTION:
www.berlin-city-tour.de. 60     IN      CNAME   berlin-city-tour.de.
berlin-city-tour.de.    300     IN      A       167.71.36.225

and then

;; ANSWER SECTION:
www.berlin-city-tour.de. 3600   IN      MX      10 mx00.ionos.de.
www.berlin-city-tour.de. 3600   IN      MX      10 mx01.ionos.de.

Also the case with l-ring is kind of "what types we should handle" instead of just handling this uniformly, see:

;; QUESTION SECTION:
;l-ring.msedge.net.             IN      AAAA

;; ANSWER SECTION:
l-ring.msedge.net.      60      IN      CNAME   l-ring.l-9999.l-msedge.net.
l-ring.l-9999.l-msedge.net. 240 IN      CNAME   l-9999.l-msedge.net.

;; QUESTION SECTION:
;l-ring.msedge.net.             IN      A

;; ANSWER SECTION:
l-ring.msedge.net.      60      IN      CNAME   l-ring.l-9999.l-msedge.net.
l-ring.l-9999.l-msedge.net. 240 IN      CNAME   l-9999.l-msedge.net.
l-9999.l-msedge.net.    240     IN      A       13.107.42.254

;l-ring.msedge.net.             IN      NS

;; ANSWER SECTION:
l-ring.msedge.net.      60      IN      CNAME   l-ring.l-9999.l-msedge.net.
l-ring.l-9999.l-msedge.net. 240 IN      CNAME   l-9999.l-msedge.net.

but

;; QUESTION SECTION:
;l-ring.msedge.net.             IN      SVCB

;; AUTHORITY SECTION:
msedge.net.             900     IN      SOA     ns1.msedge.net. msnhst.microsoft.com. 2016041201 1800 900 2419200 3600

and

;; QUESTION SECTION:
;l-ring.msedge.net.             IN      HTTPS

;; AUTHORITY SECTION:
msedge.net.             900     IN      SOA     ns1.msedge.net. msnhst.microsoft.com. 2016041201 1800 900 2419200 3600

****

So, depending on the order, the proof of nonexistence either comes from

l-msedge.net.           240     IN      SOA     ns1.l-msedge.net. msnhst.microsoft.com. 2016090101 1800 900 2419200 240

or

msedge.net.             900     IN      SOA     ns1.msedge.net. msnhst.microsoft.com. 2016041201 1800 900 2419200 3600

with different minimum values.  So, in one case it gets cached for 240 seconds and in second case for 900 seconds.

Sure, resolvers needs to cope with a lot of crap in the DNS, but I would expect the CDN at least trying to behave nicely.

Ondrej
--
Ondřej Surý (He/Him)
ondrej at sury.org

More information about the dns-operations mailing list