<div><div dir="auto">Hi Brian,</div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 2, 2020 at 12:46 Brian Somers <<a href="mailto:bsomers@opendns.com">bsomers@opendns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I saw an example of some pretty poor nameserver behaviour recently and it has now turned up again for a different domain, both hosted by cloudflare. It seems to be related to <a href="https://blog.cloudflare.com/zone-apex-naked-domain-root-domain-cname-supp/" rel="noreferrer" target="_blank">https://blog.cloudflare.com/zone-apex-naked-domain-root-domain-cname-supp/</a>. I thought I’d bring it up here to see if I could get any comments.<br>
<br>
The issue is with CNAMEs at a zone apex. While I could certainly add some “look under the CNAME” code to our resolvers, that doesn’t seem to be compliant with any RFCs… and it won’t be able to defend against this “sometimes CNAME at a zone apex” behaviour.<br>
<br>
The issue - with an unsigned zone (well, they sign RRsets but have no DS connection in the parent):<br>
<br>
$ dig +short ns dev<br>
<a href="http://ns-tld1.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld1.charlestonroadregistry.com</a>.<br>
<a href="http://ns-tld2.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld2.charlestonroadregistry.com</a>.<br>
<a href="http://ns-tld3.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld3.charlestonroadregistry.com</a>.<br>
<a href="http://ns-tld4.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld4.charlestonroadregistry.com</a>.<br>
<a href="http://ns-tld5.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld5.charlestonroadregistry.com</a>.<br>
<br>
$ for type in NS DS; do echo $type: $(dig +noall +answer +authority +nocrypt $type <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a> @<a href="http://ns-tld1.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld1.charlestonroadregistry.com</a>); done<br>
NS: <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 10800 IN NS <a href="http://jim.ns.cloudflare.com" rel="noreferrer" target="_blank">jim.ns.cloudflare.com</a>. <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 10800 IN NS <a href="http://sofia.ns.cloudflare.com" rel="noreferrer" target="_blank">sofia.ns.cloudflare.com</a>.<br>
DS: dev. 300 IN SOA <a href="http://ns-tld1.charlestonroadregistry.com" rel="noreferrer" target="_blank">ns-tld1.charlestonroadregistry.com</a>. <a href="http://cloud-dns-hostmaster.google.com" rel="noreferrer" target="_blank">cloud-dns-hostmaster.google.com</a>. 1 21600 3600 259200 300<br>
<br>
$ for type in NS CNAME A TXT SOA; do echo $type: $(dig +noall +answer $type <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a> @<a href="http://jim.ns.cloudflare.com" rel="noreferrer" target="_blank">jim.ns.cloudflare.com</a>); done<br>
NS: <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 86400 IN NS <a href="http://jim.ns.cloudflare.com" rel="noreferrer" target="_blank">jim.ns.cloudflare.com</a>. <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 86400 IN NS <a href="http://sofia.ns.cloudflare.com" rel="noreferrer" target="_blank">sofia.ns.cloudflare.com</a>.<br>
CNAME:<br>
A: <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 300 IN A 34.95.124.159<br>
TXT: <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 300 IN TXT "v=spf1 -all"<br>
SOA: <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 3600 IN SOA <a href="http://jim.ns.cloudflare.com" rel="noreferrer" target="_blank">jim.ns.cloudflare.com</a>. <a href="http://dns.cloudflare.com" rel="noreferrer" target="_blank">dns.cloudflare.com</a>. 2033691112 10000 2400 604800 3600<br>
<br>
$ dig +noall +answer <a href="http://portal.liferay.dev" rel="noreferrer" target="_blank">portal.liferay.dev</a> @<a href="http://jim.ns.cloudflare.com" rel="noreferrer" target="_blank">jim.ns.cloudflare.com</a><br>
<a href="http://portal.liferay.dev" rel="noreferrer" target="_blank">portal.liferay.dev</a>. 300 IN CNAME <a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>.<br>
<a href="http://liferay.dev" rel="noreferrer" target="_blank">liferay.dev</a>. 300 IN CNAME web-lfrcommunity-prd.lfr.cloud.<br>
<br>
Pretty much the same issue with a signed zone:<br>
<br>
$ dig +short ns gov<br>
<a href="http://d.gov-servers.net" rel="noreferrer" target="_blank">d.gov-servers.net</a>.<br>
<a href="http://a.gov-servers.net" rel="noreferrer" target="_blank">a.gov-servers.net</a>.<br>
<a href="http://b.gov-servers.net" rel="noreferrer" target="_blank">b.gov-servers.net</a>.<br>
<a href="http://c.gov-servers.net" rel="noreferrer" target="_blank">c.gov-servers.net</a>.<br>
<br>
$ for type in NS DS; do echo $type: $(dig +noall +answer +authority +nocrypt $type <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a> @<a href="http://d.gov-servers.net" rel="noreferrer" target="_blank">d.gov-servers.net</a>); done<br>
NS: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 86400 IN NS <a href="http://gslb01.nlm.nih.gov" rel="noreferrer" target="_blank">gslb01.nlm.nih.gov</a>. <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 86400 IN NS <a href="http://gslb03.nlm.nih.gov" rel="noreferrer" target="_blank">gslb03.nlm.nih.gov</a>. <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 86400 IN NS <a href="http://gslb02.nlm.nih.gov" rel="noreferrer" target="_blank">gslb02.nlm.nih.gov</a>.<br>
DS: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 3600 IN DS 30870 7 1 [omitted] <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 3600 IN DS 30870 7 2 [omitted]<br>
<br>
$ for type in NS CNAME A TXT SOA; do echo $type: $(dig +noall +answer $type <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a> @<a href="http://gslb01.nlm.nih.gov" rel="noreferrer" target="_blank">gslb01.nlm.nih.gov</a>); done<br>
NS: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN NS <a href="http://gslb01.nlm.nih.gov" rel="noreferrer" target="_blank">gslb01.nlm.nih.gov</a>. <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN NS <a href="http://gslb03.nlm.nih.gov" rel="noreferrer" target="_blank">gslb03.nlm.nih.gov</a>. <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN NS <a href="http://gslb02.nlm.nih.gov" rel="noreferrer" target="_blank">gslb02.nlm.nih.gov</a>.<br>
CNAME:<br>
A: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 30 IN CNAME <a href="http://medlineplus.awsprod.nlm.nih.gov" rel="noreferrer" target="_blank">medlineplus.awsprod.nlm.nih.gov</a>.<br>
TXT: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN TXT "v=spf1 include:<a href="http://nih.gov" rel="noreferrer" target="_blank">nih.gov</a> ~all" <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN TXT "7ae5d325d5804e5893a3bf186eed3bd6"<br>
SOA: <a href="http://medlineplus.gov" rel="noreferrer" target="_blank">medlineplus.gov</a>. 60 IN SOA <a href="http://gslb01.nlm.nih.gov" rel="noreferrer" target="_blank">gslb01.nlm.nih.gov</a>. <a href="http://hostmaster.gslb03.nlm.nih.gov" rel="noreferrer" target="_blank">hostmaster.gslb03.nlm.nih.gov</a>. 2020021804 10800 3600 604800 60<br>
<br>
How do others deal with this “sometimes a CNAME” behaviour? Does this break all resolvers?<br>
<br>
Thanks for any input.</blockquote><div dir="auto"><br></div><div dir="auto">Thanks for reporting this. We are looking into this and will update when we know this is happening.</div><div dir="auto"><br></div><div dir="auto">looking at this briefly shows multiple level of CNAMEs across different zones.</div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
—<br>
Brian<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>With Regards,</div><div><br></div>Vicky Shrestha</div></div>