[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS hostnames with a duplicate CNAME and A record - which should be removed?

Landon Stewart wrote:

> I've been reading various sites and information including RFC 1034 but
> it's difficult to decide what to do when it's already an issue.  For
> example in RFC 1034 section 3.6.2 the use of CNAME's with NS and MX records
> is not permitted but other research shows this is widely used even though
> its technically invalid.  IMHO it should have never happened in the first
> place (where an A record already exists a CNAME should not have been
> allowed to get added for example) but what can be done now that it's
> already an issue?

The rule of RFC1034 is not applicable to secure DNS.

W.r.t. RFC1034, the following text:

	The one exception to this rule is that queries which match
	the CNAME type are not restarted.

is the key.

For name servers, any RR types which may coexist with CNAME must
also match CNAME. In addition, for queries with such RR types,
cached CNAME without cached exact RR types should be ignored.

> In the case of the A,NS,MX,SOA and CNAME duplicates an example of how our
> old/current name server's responses are:
> (*note: not all of this is real data, customer zones have been obfuscated)*

SOA and NS could have matched CNAME, which enables a zone
containing just a CNAME, though RFC1034 does not specify so.

It is not harmful except that queries with SOA or NS type may
cause loops if some cache have CNAME RRs.

						Masataka Ohta