[dns-operations] Cloudflare CNAME ordering issue?

Thu Jan 15 00:54:44 UTC 2026

About the "CNAME-restart logic" mentioned in
https://blog.cloudflare.com/cname-a-record-order-dns-standards/,
we have tested mainstream resolver's behaviors in our USENIX Security 2023
paper:

CNAME Chaining:
https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf
(Section 4.1 and Table 2)

Third, we also found that the resolver can select a CNAME record from all
> the CNAME records embedded in

R (during U pdateQuery) and query the closest server in the cache, but the
> implementations differ. BIND,

Unbound, MaraDNS, and Simple DNS Plus use the first CNAME record to issue
> the following query Q,

while Knot Resolver and PowerDNS Recursor use the last CNAME record.
> Microsoft DNS selects a

random CNAME record to lookup.

Xiang Li
Nankai University

On Wed, Jan 14, 2026 at 11:09 PM Joe Abley via dns-operations <
dns-operations at dns-oarc.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Joe Abley <jabley at strandkip.nl>
> To: Dave Lawrence <tale at dd.org>
> Cc: dns-operations at dns-oarc.net, sebastiaan at cloudflare.com
> Bcc:
> Date: Wed, 14 Jan 2026 16:01:43 +0100
> Subject: Re: [dns-operations] Cloudflare CNAME ordering issue?
> Hey,
>
> On 12 Jan 2026, at 18:20, Joe Abley <jabley at strandkip.nl> wrote:
>
> On 12 Jan 2026, at 17:00, Dave Lawrence via dns-operations <
> dns-operations at dns-oarc.net> wrote:
>
> Anyone have some examples of what the answers looked like during the
> incident?  I'm curious about how "the expectations of certain DNS
> client implementations" were improper.
>
> From another article I understood that that the Cisco problem was
> they bombed out when they got the answer, but I'd not be inclined to
> describe that quite as an issue of their expectations.
>
>
> There will be a Cloudflare bog about this that describes things in some
> detail, some time this week I think.
>
>
> Sebastiaan's blog is now up, read it while it's hot:
>
> https://blog.cloudflare.com/cname-a-record-order-dns-standards/
>
> We also took the opportunity to dust off a related old internet-draft from
> 2015 and resubmit it, with this operational impact fresh in our minds:
>
> https://datatracker.ietf.org/doc/draft-jabley-dnsop-ordered-answer-section/
>
>
> Joe & Sebastiaan
>
>
>
> ---------- Forwarded message ----------
> From: Joe Abley via dns-operations <dns-operations at dns-oarc.net>
> To: Dave Lawrence <tale at dd.org>
> Cc: dns-operations at dns-oarc.net
> Bcc:
> Date: Wed, 14 Jan 2026 16:01:43 +0100
> Subject: Re: [dns-operations] Cloudflare CNAME ordering issue?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260115/04cc5ec7/attachment.html>