Le 21/11/2025 à 12:39, Viktor Dukhovni a écrit :
On Fri, Nov 21, 2025 at 12:17:45PM +0100, Winfried via dns-operations wrote:
multiple possible CNAME values for a same record leading to
possible resolver's cache pollution.
As the way to get one value or another is trivial, the way to
control the resolver cached value is trivial too.
Please keep us informed if this case could cause problems for other resolver
operators as well or is otherwise relevant to them.
What isn't clear from the original report is whether:
1. A single query response returns multiple CNAME records, or,
2. Several separate queries (possibly in quick succession) return
different CNAMEs for the same qname.
Of these, only "1" is a problem. There is nothing wrong with "2",
rapidly changing CNAMEs for the same qname are to be expected, DNS data
is not necessarily constant, or consistent across all authoritative
servers, ...
So which is it?
Hi Viktor,
It is not 1. , a case reported few years ago on Gandi autoritatives
servers and which they fixed.
It is not 2. : the response is perfectly stable at the authoritative
level for a fixed query type but different for two different query type
(like MX vs A for example), hence the "cache pollution" possibility
whichever is the "expected correct value" from the user point of view.
(there is no high level functional equivalence between the two served
values).
It seems to be a very specific convoluted corner case, involving
interactions between multiple advanced Cloudflare features as Joe seems
to agree.
Emmanuel.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
