Add TXT records for SPF when CNAME exists in same sub-domain

Tue Nov 29 00:12:08 UTC 2022

RFC 1034

3.6.2 second paragraph:

“If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.”

There may be an updated RFC that states the same thing differently but it is a well-known DNS rule.

valimail.com’s blackbox might be able to get around it but I would not know for sure.

John

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Chris Liesfield
Sent: Monday, November 28, 2022 6:03 PM
To: bind-users at lists.isc.org
Subject: Add TXT records for SPF when CNAME exists in same sub-domain

Hi All. Hopefully my terminology is correct and I make sense.

We have a main domain "something.com.au<http://something.com.au>" with a few sub-domains, "this", "that", etc.

For all of our 'A' records in something.com.au<http://something.com.au>, we have specified TXT records for SPF, however our sub-domains contain CNAMEs only.

It appears TXT and CNAME records for the same string/host cannot co-exist. We are able to specify an SPF record for the origin only in each sub-domain.

Open to any suggestions on how to get around this issue.

Thanks in advance.

$TTL 3600
@                       IN      SOA  something.com.au<http://something.com.au>. bofh.something.com.au<http://bofh.something.com.au>. (
                                        2022112901 ; serial
                                        10800      ; refresh (3 hours)
                                        3600       ; retry (1 hour)
                                        604800     ; expire (1 week)
                                        3600       ; minimum (1 hour)
                                        )
                        NS      ns1.something.com.au<http://ns1.something.com.au>.
                        NS      ns2.something.com.au<http://ns2.something.com.au>.
                        MX      10 mail.something.com.au<http://mail.something.com.au>.

; A Records

localhost               A       127.0.0.1
www                   A       1.2.3.4
@ IN      A       1.2.3.4

; SPF records

; working without a problem.
www                     TXT     "v=spf1 -all"

$ORIGIN this.something.com.au<http://this.something.com.au>.
$TTL 3600       ; 1 hour
www                     CNAME   stuff.somewhereelse.com.au<http://stuff.somewhereelse.com.au>.
@                       CNAME   stuff.somewhereelse.com.au<http://stuff.somewhereelse.com.au>.

; SPF records

; BIND considers this an invalid statement - no corresponding 'A' record - conflict with CNAME?
www                     TXT     "v=spf1 -all"
; working without a problem.
@                       TXT     "v=spf1 -all"

$ORIGIN that.something.com.au<http://that.something.com.au>.
$TTL 3600       ; 1 hour
www                     CNAME   stuff.overthere.com.au<http://stuff.overthere.com.au>.
@                       CNAME   stuff.overthere.com.au<http://stuff.overthere.com.au>.

; SPF records

; BIND considers this an invalid statement - no corresponding 'A' record - conflict with CNAME?
www                     TXT     "v=spf1 -all"
; working without a problem.
@                       TXT     "v=spf1 -all"

--
Chris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221129/6bc518eb/attachment.htm>