<div dir="auto">Hi Ondrey,<div dir="auto"><br></div><div dir="auto">I think it's evident that these DNS servers are likely not e.g. BIND but I don't quite understand why we'd say the behavior is "invalid". </div><div dir="auto"><br></div><div dir="auto">The DNS protocol, as I understand it, accepts that zone files may change at any moment and caches will catch up as ttls expire. That the zone file changed between the queries you made would explain your observations, right? One would have to get very lucky, but I think you could see the same output when querying a BIND nameserver. </div><div dir="auto"><br></div><div dir="auto">It appears these vendors have both created a DNS server that modifies the contents of zones, in real time, as each query arrives. The authoritative zone is changing each nanosecond in response to queries.</div><div dir="auto"><br></div><div dir="auto">If you want to call this "stupid DNS tricks", feel free. But I don't understand why it is illegal or "invalid" to create, modify or delete cnames in response to events. Every DNS server does this for some definition of "event" so a resolver cannot expect consistency between successive query responses.</div><div dir="auto"><br></div><div dir="auto">A resolver may cache the cname's existence (or non-existence) of course. But as long as the authorities accept that caching will happen and allow for it, why is there a problem? I think it's safe to assume they don't update the soa serial or propagate every change via axfr, but that seems to be the authority's concern.</div><div dir="auto"><div dir="auto"><br></div><div dir="auto">If we look hard enough, my employer's DNS service can be configured to change the values of cnames in response to queries (though I don't think they disappear ever). This does not seem fundamentally different. </div><div dir="auto"><br></div><div dir="auto">Is it causing some issue for resolvers?</div><div dir="auto"><br></div><div dir="auto">Gavin</div><div dir="auto"><br></div></div><br><br><div class="gmail_quote gmail_quote_container" dir="auto"><div dir="ltr" class="gmail_attr">On Thu, Nov 27, 2025, 3:51 AM Ondřej Surý <<a href="mailto:ondrej@sury.org">ondrej@sury.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Same invalid CNAME behavior can be observed at <a href="http://msedge.net" rel="noreferrer noreferrer" target="_blank">msedge.net</a>:<br>
<br>
; <<>> DiG 9.21.14 <<>> +norec -t A <a href="http://l-ring.msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.msedge.net</a>. @<a href="http://ns1.msedge.net" rel="noreferrer noreferrer" target="_blank">ns1.msedge.net</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19903<br>
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1224<br>
;; QUESTION SECTION:<br>
;<a href="http://l-ring.msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.msedge.net</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://l-ring.msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.msedge.net</a>. 60 IN CNAME <a href="http://l-ring.l-9999.l-msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.l-9999.l-msedge.net</a>.<br>
<a href="http://l-ring.l-9999.l-msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.l-9999.l-msedge.net</a>. 240 IN CNAME <a href="http://l-9999.l-msedge.net" rel="noreferrer noreferrer" target="_blank">l-9999.l-msedge.net</a>.<br>
<a href="http://l-9999.l-msedge.net" rel="noreferrer noreferrer" target="_blank">l-9999.l-msedge.net</a>. 240 IN A 13.107.42.254<br>
<br>
;; Query time: 14 msec<br>
;; SERVER: 204.79.197.1#53(<a href="http://ns1.msedge.net" rel="noreferrer noreferrer" target="_blank">ns1.msedge.net</a>.) (UDP)<br>
;; WHEN: Thu Nov 27 12:38:48 CET 2025<br>
;; MSG SIZE rcvd: 113<br>
<br>
but<br>
<br>
; <<>> DiG 9.21.14 <<>> +norec -t HTTPS <a href="http://l-ring.msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.msedge.net</a>. @<a href="http://ns1.msedge.net" rel="noreferrer noreferrer" target="_blank">ns1.msedge.net</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6454<br>
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1224<br>
;; QUESTION SECTION:<br>
;<a href="http://l-ring.msedge.net" rel="noreferrer noreferrer" target="_blank">l-ring.msedge.net</a>. IN HTTPS<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://msedge.net" rel="noreferrer noreferrer" target="_blank">msedge.net</a>. 900 IN SOA <a href="http://ns1.msedge.net" rel="noreferrer noreferrer" target="_blank">ns1.msedge.net</a>. <a href="http://msnhst.microsoft.com" rel="noreferrer noreferrer" target="_blank">msnhst.microsoft.com</a>. 2016041201 1800 900 2419200 3600<br>
<br>
;; Query time: 14 msec<br>
;; SERVER: 204.79.197.1#53(<a href="http://ns1.msedge.net" rel="noreferrer noreferrer" target="_blank">ns1.msedge.net</a>.) (UDP)<br>
;; WHEN: Thu Nov 27 12:38:57 CET 2025<br>
;; MSG SIZE rcvd: 106<br>
<br>
Ondrej<br>
--<br>
Ondřej Surý (He/Him)<br>
<a href="mailto:ondrej@sury.org" target="_blank" rel="noreferrer">ondrej@sury.org</a><br>
<br>
> On 27. 11. 2025, at 12:34, Ondřej Surý <<a href="mailto:ondrej@sury.org" target="_blank" rel="noreferrer">ondrej@sury.org</a>> wrote:<br>
> <br>
> Hey Joe,<br>
> <br>
> found another case of CNAME weirdness.<br>
> <br>
> CNAME returned for A query (or NS or any other type that exists at the target of the CNAME):<br>
> <br>
> ; <<>> DiG 9.21.14 <<>> +norec in A <a href="http://www.berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">www.berlin-city-tour.de</a>. @<a href="http://lina.ns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">lina.ns.cloudflare.com</a>.<br>
> ;; global options: +cmd<br>
> ;; Got answer:<br>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1239<br>
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br>
> <br>
> ;; OPT PSEUDOSECTION:<br>
> ; EDNS: version: 0, flags:; udp: 1232<br>
> ;; QUESTION SECTION:<br>
> ;<a href="http://www.berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">www.berlin-city-tour.de</a>. IN A<br>
> <br>
> ;; ANSWER SECTION:<br>
> <a href="http://www.berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">www.berlin-city-tour.de</a>. 60 IN CNAME <a href="http://berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">berlin-city-tour.de</a>.<br>
> <a href="http://berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">berlin-city-tour.de</a>. 300 IN A 167.71.36.225<br>
> <br>
> ;; Query time: 17 msec<br>
> ;; SERVER: 2606:4700:50::adf5:3abb#53(<a href="http://lina.ns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">lina.ns.cloudflare.com</a>.) (UDP)<br>
> ;; WHEN: Thu Nov 27 12:27:02 CET 2025<br>
> ;; MSG SIZE rcvd: 82<br>
> <br>
> CNAME not returned for NODATA answer:<br>
> <br>
> ; <<>> DiG 9.21.14 <<>> +norec in AAAA <a href="http://www.berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">www.berlin-city-tour.de</a>. @<a href="http://lina.ns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">lina.ns.cloudflare.com</a>.<br>
> ;; global options: +cmd<br>
> ;; Got answer:<br>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42854<br>
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1<br>
> <br>
> ;; OPT PSEUDOSECTION:<br>
> ; EDNS: version: 0, flags:; udp: 1232<br>
> ;; QUESTION SECTION:<br>
> ;<a href="http://www.berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">www.berlin-city-tour.de</a>. IN AAAA<br>
> <br>
> ;; AUTHORITY SECTION:<br>
> <a href="http://berlin-city-tour.de" rel="noreferrer noreferrer" target="_blank">berlin-city-tour.de</a>. 1800 IN SOA <a href="http://amit.ns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">amit.ns.cloudflare.com</a>. <a href="http://dns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">dns.cloudflare.com</a>. 2389579513 10000 2400 604800 1800<br>
> <br>
> ;; Query time: 17 msec<br>
> ;; SERVER: 2606:4700:50::adf5:3abb#53(<a href="http://lina.ns.cloudflare.com" rel="noreferrer noreferrer" target="_blank">lina.ns.cloudflare.com</a>.) (UDP)<br>
> ;; WHEN: Thu Nov 27 12:27:33 CET 2025<br>
> ;; MSG SIZE rcvd: 114<br>
> <br>
> I believe the CNAME has to be returned regardless of the target existence.<br>
> <br>
> Cheers,<br>
> Ondrej<br>
> --<br>
> Ondřej Surý (He/Him)<br>
> <a href="mailto:ondrej@sury.org" target="_blank" rel="noreferrer">ondrej@sury.org</a><br>
> <br>
<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank" rel="noreferrer">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>