Hi Ondrey, I think it's evident that these DNS servers are likely not e.g. BIND but I don't quite understand why we'd say the behavior is "invalid".
The DNS protocol, as I understand it, accepts that zone files may change at any moment and caches will catch up as ttls expire. That the zone file changed between the queries you made would explain your observations, right? One would have to get very lucky, but I think you could see the same output when querying a BIND nameserver. It appears these vendors have both created a DNS server that modifies the contents of zones, in real time, as each query arrives. The authoritative zone is changing each nanosecond in response to queries. If you want to call this "stupid DNS tricks", feel free. But I don't understand why it is illegal or "invalid" to create, modify or delete cnames in response to events. Every DNS server does this for some definition of "event" so a resolver cannot expect consistency between successive query responses. A resolver may cache the cname's existence (or non-existence) of course. But as long as the authorities accept that caching will happen and allow for it, why is there a problem? I think it's safe to assume they don't update the soa serial or propagate every change via axfr, but that seems to be the authority's concern. If we look hard enough, my employer's DNS service can be configured to change the values of cnames in response to queries (though I don't think they disappear ever). This does not seem fundamentally different. Is it causing some issue for resolvers? Gavin On Thu, Nov 27, 2025, 3:51 AM Ondřej Surý <[email protected]> wrote: > Same invalid CNAME behavior can be observed at msedge.net: > > ; <<>> DiG 9.21.14 <<>> +norec -t A l-ring.msedge.net. @ns1.msedge.net. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19903 > ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1224 > ;; QUESTION SECTION: > ;l-ring.msedge.net. IN A > > ;; ANSWER SECTION: > l-ring.msedge.net. 60 IN CNAME l-ring.l-9999.l-msedge.net > . > l-ring.l-9999.l-msedge.net. 240 IN CNAME l-9999.l-msedge.net. > l-9999.l-msedge.net. 240 IN A 13.107.42.254 > > ;; Query time: 14 msec > ;; SERVER: 204.79.197.1#53(ns1.msedge.net.) (UDP) > ;; WHEN: Thu Nov 27 12:38:48 CET 2025 > ;; MSG SIZE rcvd: 113 > > but > > ; <<>> DiG 9.21.14 <<>> +norec -t HTTPS l-ring.msedge.net. @ns1.msedge.net > . > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6454 > ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1224 > ;; QUESTION SECTION: > ;l-ring.msedge.net. IN HTTPS > > ;; AUTHORITY SECTION: > msedge.net. 900 IN SOA ns1.msedge.net. > msnhst.microsoft.com. 2016041201 1800 900 2419200 3600 > > ;; Query time: 14 msec > ;; SERVER: 204.79.197.1#53(ns1.msedge.net.) (UDP) > ;; WHEN: Thu Nov 27 12:38:57 CET 2025 > ;; MSG SIZE rcvd: 106 > > Ondrej > -- > Ondřej Surý (He/Him) > [email protected] > > > On 27. 11. 2025, at 12:34, Ondřej Surý <[email protected]> wrote: > > > > Hey Joe, > > > > found another case of CNAME weirdness. > > > > CNAME returned for A query (or NS or any other type that exists at the > target of the CNAME): > > > > ; <<>> DiG 9.21.14 <<>> +norec in A www.berlin-city-tour.de. @ > lina.ns.cloudflare.com. > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1239 > > ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 1232 > > ;; QUESTION SECTION: > > ;www.berlin-city-tour.de. IN A > > > > ;; ANSWER SECTION: > > www.berlin-city-tour.de. 60 IN CNAME berlin-city-tour.de. > > berlin-city-tour.de. 300 IN A 167.71.36.225 > > > > ;; Query time: 17 msec > > ;; SERVER: 2606:4700:50::adf5:3abb#53(lina.ns.cloudflare.com.) (UDP) > > ;; WHEN: Thu Nov 27 12:27:02 CET 2025 > > ;; MSG SIZE rcvd: 82 > > > > CNAME not returned for NODATA answer: > > > > ; <<>> DiG 9.21.14 <<>> +norec in AAAA www.berlin-city-tour.de. @ > lina.ns.cloudflare.com. > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42854 > > ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 1232 > > ;; QUESTION SECTION: > > ;www.berlin-city-tour.de. IN AAAA > > > > ;; AUTHORITY SECTION: > > berlin-city-tour.de. 1800 IN SOA amit.ns.cloudflare.com. > dns.cloudflare.com. 2389579513 10000 2400 604800 1800 > > > > ;; Query time: 17 msec > > ;; SERVER: 2606:4700:50::adf5:3abb#53(lina.ns.cloudflare.com.) (UDP) > > ;; WHEN: Thu Nov 27 12:27:33 CET 2025 > > ;; MSG SIZE rcvd: 114 > > > > I believe the CNAME has to be returned regardless of the target > existence. > > > > Cheers, > > Ondrej > > -- > > Ondřej Surý (He/Him) > > [email protected] > > > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
