CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12
Matthew Pounsett
matt at conundrum.com
Sat Mar 10 14:53:29 UTC 2018
On 10 March 2018 at 04:08, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> Cathy Almond <cathya at isc.org> wrote:
>>
>>> The rs.dns-oarc.net zone is broken because it returns a CNAME for
>>> queries at the apex.
>>>
>>
> On 09.03.18 15:23, Tony Finch wrote:
>
>> I just got a problem report from a user who has a few personal domains
>> with CNAME at apex that used to work (or at least appeared to work) but
>> no longer do.
>>
>> I've said that the domains are misconfigured, but since this is a
>> relatively widespread misconfiguration, I think it's likely to cause
>> more complaints. Tiresome.
>>
>
> it's the very common result of misconfiguration that something sometimes
> does not work, while sometimes it does.
>
Apex CHAMEs, in particular, have nondeterministic failure modes. In that,
each resolver deals differently with this misconfiguration, since by
definition there is no correct way to deal with it. Some resolvers find a
way to gloss over the problem, and others fail hard making the domain name
and everything below it unresolvable for the TTL of either the apex NS set
or the TTL of the CNAME itself, depending on which way it breaks.
Best to just stop doing that so that whether the domain works doesn't
depend on which resolver you're trying to use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180310/e536998e/attachment.html>
More information about the bind-users
mailing list