Add TXT records for SPF when CNAME exists in same sub-domain
John W. Blue
john.blue at rrcic.com
Tue Nov 29 00:12:08 UTC 2022
RFC 1034
3.6.2 second paragraph:
“If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different. This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.”
There may be an updated RFC that states the same thing differently but it is a well-known DNS rule.
valimail.com’s blackbox might be able to get around it but I would not know for sure.
John
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Chris Liesfield
Sent: Monday, November 28, 2022 6:03 PM
To: bind-users at lists.isc.org
Subject: Add TXT records for SPF when CNAME exists in same sub-domain
Hi All. Hopefully my terminology is correct and I make sense.
We have a main domain "something.com.au<http://something.com.au>" with a few sub-domains, "this", "that", etc.
For all of our 'A' records in something.com.au<http://something.com.au>, we have specified TXT records for SPF, however our sub-domains contain CNAMEs only.
It appears TXT and CNAME records for the same string/host cannot co-exist. We are able to specify an SPF record for the origin only in each sub-domain.
Open to any suggestions on how to get around this issue.
Thanks in advance.
$TTL 3600
@ IN SOA something.com.au<http://something.com.au>. bofh.something.com.au<http://bofh.something.com.au>. (
2022112901 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns1.something.com.au<http://ns1.something.com.au>.
NS ns2.something.com.au<http://ns2.something.com.au>.
MX 10 mail.something.com.au<http://mail.something.com.au>.
; A Records
localhost A 127.0.0.1
www A 1.2.3.4
@ IN A 1.2.3.4
; SPF records
; working without a problem.
www TXT "v=spf1 -all"
$ORIGIN this.something.com.au<http://this.something.com.au>.
$TTL 3600 ; 1 hour
www CNAME stuff.somewhereelse.com.au<http://stuff.somewhereelse.com.au>.
@ CNAME stuff.somewhereelse.com.au<http://stuff.somewhereelse.com.au>.
; SPF records
; BIND considers this an invalid statement - no corresponding 'A' record - conflict with CNAME?
www TXT "v=spf1 -all"
; working without a problem.
@ TXT "v=spf1 -all"
$ORIGIN that.something.com.au<http://that.something.com.au>.
$TTL 3600 ; 1 hour
www CNAME stuff.overthere.com.au<http://stuff.overthere.com.au>.
@ CNAME stuff.overthere.com.au<http://stuff.overthere.com.au>.
; SPF records
; BIND considers this an invalid statement - no corresponding 'A' record - conflict with CNAME?
www TXT "v=spf1 -all"
; working without a problem.
@ TXT "v=spf1 -all"
--
Chris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221129/6bc518eb/attachment.htm>
More information about the bind-users
mailing list