DNS Question

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Oct 23 17:31:27 UTC 2009 

Chuck Swiger wrote:
> Hi--
> 
> On Oct 23, 2009, at 9:18 AM, Sean Cavanaugh wrote:
>>> worse, it's illegal.
>>
>> how is this illegal? if you are residing your domain on a hosting 
>> service, this makes sense to me. Granted its bad form and should have 
>> an A record to the host for the main domain record, but if i had 
>> control over "otherdomain.com" and not "example.com" and had to change 
>> the IP address, "example.com" would be dead until i was able to reach 
>> the owner of that domain and have them change their DNS info.
> 
> You aren't supposed to use CNAMES for anything found in other RR's; in 
> particular, you should always use an A record with the hostnames used 
> for nameservers (ie, have an NS record), because you are supposed to be 
> using the canonical name rather than an alias.

Errr?  You mean the rule that NS and MX and SRV rdata must include an A record
rather than a CNAME?  That's true, but what does that have to do with web
serving? 

The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or AAAA record for it.  Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal:

example.com. IN CNAME www.example.com

On the other hand:

www.example.com. IN CNAME example.com.

is generally fine.

> PS: It's odd where google pulls up references to fairly canonical
> docs, sometimes.  I'm not sure I even recognize "ua", and I suspect I
> deal with two-letter ISO 3166 country names more than most folks do.
> Maybe Ukraine?  :-)

Of course it's Ukraine.  .uk was already taken, even though the two letter
iso-code for this country is officially .gb.  We're in an exclusive club of
two nations that generally don't use their official iso-code in the DNS.  No
prizes for guessing which the other one is.

	Cheers,

	Matthew

[*] Little known factoid, but there are two legal exceptions to the 'CNAME
and other data' rule.  You can have RRSIG or NSEC records at the same label
as CNAME -- see RFC 4035.  Obscure DNS trivia for 100, Alex...

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091023/9c7d5868/signature.pgp

More information about the freebsd-questions mailing list