<div dir="ltr"><div>About the "CNAME-restart logic" mentioned in <a href="https://blog.cloudflare.com/cname-a-record-order-dns-standards/" target="_blank">https://blog.cloudflare.com/cname-a-record-order-dns-standards/</a>,</div><div>we have tested mainstream resolver's behaviors in our USENIX Security 2023 paper:</div><div><br></div><div>CNAME Chaining:</div><div><a href="https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf">https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf</a></div><div>(Section 4.1 and Table 2)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Third, we also found that the resolver can select a CNAME
record from all the CNAME records embedded in </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">R (during
U pdateQuery) and query the closest server in the cache, but
the implementations differ. BIND, </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Unbound, MaraDNS, and
Simple DNS Plus use the first CNAME record to issue the following query Q, </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">while Knot Resolver and PowerDNS Recursor use the last CNAME record. Microsoft DNS selects
a </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">random CNAME record to lookup.</blockquote><div><br></div><div>Xiang Li</div><div>Nankai University</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, Jan 14, 2026 at 11:09 PM Joe Abley via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><br><br>---------- Forwarded message ----------<br>From: Joe Abley <<a href="mailto:jabley@strandkip.nl" target="_blank">jabley@strandkip.nl</a>><br>To: Dave Lawrence <<a href="mailto:tale@dd.org" target="_blank">tale@dd.org</a>><br>Cc: <a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>, <a href="mailto:sebastiaan@cloudflare.com" target="_blank">sebastiaan@cloudflare.com</a><br>Bcc: <br>Date: Wed, 14 Jan 2026 16:01:43 +0100<br>Subject: Re: [dns-operations] Cloudflare CNAME ordering issue?<br><div>Hey,<br id="m_-27397531345156862lineBreakAtBeginningOfMessage"><div><br><div><div>On 12 Jan 2026, at 18:20, Joe Abley <<a href="mailto:jabley@strandkip.nl" target="_blank">jabley@strandkip.nl</a>> wrote:</div><br></div><blockquote type="cite"><div><div>On 12 Jan 2026, at 17:00, Dave Lawrence via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>> wrote:<br><br><blockquote type="cite">Anyone have some examples of what the answers looked like during the<br>incident?  I'm curious about how "the expectations of certain DNS<br>client implementations" were improper.  <br><br>From another article I understood that that the Cisco problem was<br>they bombed out when they got the answer, but I'd not be inclined to<br>describe that quite as an issue of their expectations.<br></blockquote><br>There will be a Cloudflare bog about this that describes things in some detail, some time this week I think.<br></div></div></blockquote><div><br></div></div>Sebastiaan's blog is now up, read it while it's hot:<div><br></div><div><a href="https://blog.cloudflare.com/cname-a-record-order-dns-standards/" target="_blank">https://blog.cloudflare.com/cname-a-record-order-dns-standards/</a></div><div><br></div><div>We also took the opportunity to dust off a related old internet-draft from 2015 and resubmit it, with this operational impact fresh in our minds:</div><div><br></div><div><a href="https://datatracker.ietf.org/doc/draft-jabley-dnsop-ordered-answer-section/" target="_blank">https://datatracker.ietf.org/doc/draft-jabley-dnsop-ordered-answer-section/</a></div><div><br></div><div><br></div><div>Joe & Sebastiaan</div></div><br><br><br>---------- Forwarded message ----------<br>From: Joe Abley via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>To: Dave Lawrence <<a href="mailto:tale@dd.org" target="_blank">tale@dd.org</a>><br>Cc: <a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a><br>Bcc: <br>Date: Wed, 14 Jan 2026 16:01:43 +0100<br>Subject: Re: [dns-operations] Cloudflare CNAME ordering issue?<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>