DNS Question

Wed Oct 28 17:25:48 UTC 2009

Chuck Swiger wrote:
> On Oct 23, 2009, at 10:31 AM, Matthew Seaman wrote:
>>> You aren't supposed to use CNAMES for anything found in other RR's; 
>>> in particular, you should always use an A record with the hostnames 
>>> used for nameservers (ie, have an NS record), because you are 
>>> supposed to be using the canonical name rather than an alias.
>>
>> Errr?  You mean the rule that NS and MX and SRV rdata must include an 
>> A record
>> rather than a CNAME?  That's true, but what does that have to do with web
>> serving?
> 
> Consider the case of redirects involving cnames; you end up with a lot 
> of extra DNS traffic.
> 
>> The illegality mentioned further upthread is that you can't use a 
>> CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- 
>> as there's always got to be SOA and NS records at the zone apex, if 
>> you want a web page at 'example.com' you'ld have to provide an A or 
>> AAAA record for it.  Unless you're Verisign and have control over the 
>> nameservers for .com, this is almost certainly illegal:
>>
>> example.com. IN CNAME www.example.com
>>
>> On the other hand:
>>
>> www.example.com. IN CNAME example.com.
>>
>> is generally fine.
> 
> It's generally fine, sure, but almost never ideal.  You don't save 
> traffic by using CNAMEs instead of A records....
> 
>>> PS: It's odd where google pulls up references to fairly canonical
>>> docs, sometimes.  I'm not sure I even recognize "ua", and I suspect I
>>> deal with two-letter ISO 3166 country names more than most folks do.
>>> Maybe Ukraine?  :-)
>>
>> Of course it's Ukraine.  .uk was already taken, even though the two 
>> letter
>> iso-code for this country is officially .gb.  We're in an exclusive 
>> club of
>> two nations that generally don't use their official iso-code in the 
>> DNS.  No
>> prizes for guessing which the other one is.
> 
> Shucks, how can you pull in Jeopardy references and then deny giving out 
> prizes?  Well, my guess would be ie, although people who speak Finnish 
> and call their home "Suomi" might find "fi" odd, also....
> 
>>     Cheers,
>>
>>     Matthew
>>
>> [*] Little known factoid, but there are two legal exceptions to the 
>> 'CNAME
>> and other data' rule.  You can have RRSIG or NSEC records at the same 
>> label
>> as CNAME -- see RFC 4035.  Obscure DNS trivia for 100, Alex...
> 
> Regards,

Just so everyone knows, having a domain with a CNAME at the top will 
hose your mail traffic. We tried it, and some servers delivered fine, 
others did not. Checking with dig +trace, and dns stuff, showed the 
problem. Just trying to get a MX record for mainstreetfin.com would fail.

The record we had was,
mainstreetfin.com CNAME website.elliemae.com

And the problem is shown below.

---------------------------------------------------------------
DNS Lookup: mainstreetfin.com MX record

Searching for mainstreetfin.com MX record at a.root-servers.net 
[198.41.0.4]: Got referral to M.GTLD-SERVERS.NET. (zone: com.) [took 39 ms]

Searching for mainstreetfin.com MX record at M.GTLD-SERVERS.NET. 
[192.55.83.30]: Got referral to ns2auth.tls.net. (zone: 
mainstreetfin.com.) [took 11 ms]

Searching for mainstreetfin.com MX record at ns2auth.tls.net. 
[65.123.104.30]: Got CNAME of website.elliemae.com. and referral to 
k.root-servers.net [took 36 ms]

Searching for website.elliemae.com MX record at g.root-servers.net 
[192.112.36.4]: Got referral to I.GTLD-SERVERS.NET. (zone: com.) [took 
143 ms]

Searching for website.elliemae.com MX record at I.GTLD-SERVERS.NET. 
[192.43.172.30]: Got referral to ns2.elliemae.net. (zone: elliemae.com.) 
[took 63 ms]

Searching for website.elliemae.com MX record at ns2.elliemae.net. 
[63.241.88.21]: Timed out. Trying again.

Searching for website.elliemae.com MX record at ns1.elliemae.net. 
[216.35.165.21]: Reports that no MX records exist. [took 46 ms]

Response:
No MX records exist for website.elliemae.com. [Neg TTL=300 seconds]

Details:
ns1.elliemae.net. (an authoritative nameserver for elliemae.com.) says 
that there are no MX records for website.elliemae.com.
The E-mail address in charge of the elliemae.com. zone is: 
hostmaster at elliemae.com.

NOTE: One or more CNAMEs were encountered. mainstreetfin.com is really 
website.elliemae.com.

----------------------------

So some mail servers never asked our authoritative servers what the MX 
record was. Interesting.

DAve

-- 
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org