How not to set up your DNS (part 16)

July 9, 2007

Sort of presented in the traditional illustrated format:

; sdig ns
; dig cname
;; flags: qr aa; QUERY: 1, ANSWER: 1, [...]
             hostmaster.localdomain. [....]

(The TTL has been omitted and the line wrapped for clarity.)

This is not how you are supposed to say 'I do not have a CNAME record'. What should be doing is returning a reply with nothing in the 'answer' section and their SOA record in the 'additional authority' section.

The net result of this issue is that a number of resolving nameservers will return SERVFAIL when asked to see if is a CNAME, which has various interesting downstream consequences.

(Technically the zone says that has two other nameservers, however a) disagrees, since the extras are not in the NS records that the first two return and b) the extra two are non-authoritative anyways.)

Comments on this page:

From at 2007-07-29 15:34:00:

Hi Chris, i noticed your comment on "How not to set up a DNS", and using as an example. I have passed it on to my tech guys for their thoughts. Thanks for your comments.

Cheers Richard Keeves Managing Director, IBC

email richard at you can figure the rest

By cks at 2007-07-29 23:37:59:

(An obligatory note: I used magic site admin powers to relocate this comment from the page it was originally left on to here.)

By cks at 2007-08-16 12:34:44:

As a followup, I note that is now a CNAME to itself, and for extra bonus points their authoritative nameservers return the CNAME plus additional NS records. This doesn't work, to put it one way, and I have no idea why they want a CNAME that points to itself.

The net effect is that once you check for a CNAME record, as our mailer does, you're not going to be able to look up anything about for the next day or so.

(Apparently their primary nameservers are smart enough to not return the CNAME information unless asked specifically about it, which is both good and bad.)

Written on 09 July 2007.
« A suggestion for HMAC signature construction
How many bits of information are in a password? »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jul 9 15:56:42 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.