CNAME only zone?

[Lightner, Jeff]

Is it possible to create a zone file that only contains a CNAME?

 

The request I got is to create a CNAME to point shop4water.com to shop4water.hostedbywebtstore.com.

 

We own shop4water.com – hostedbywebstore.com is something external that we don’t own.

 

I’ve reviewed past posts and searched the internet.  I see things saying “you can’t have CNAME only” or “you can” or “you should use DNAME instead” and then others saying that “you can’t use CNAME or DNAME with any other record and the SOA itself is a record”.

 

So my basic question is:   Is it possible to do this?  If so what should the zone file for shop4water.com look like?   Is there another way to make queries for shop4water.com go to shop4water.hostedbywebtstore.com?

  

 

 

 

 

 

Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer

 

---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

 

[Phil Mayers]

On 09/12/11 16:25, Lightner, Jeff wrote:
> Is it possible to create a zone file that only contains a CNAME?

This comes up a lot, it seems.

No. CNAME conflicts with any other record - including the SOA and NS
records required at the apex.

You will have to put an A record at the apex.

[Lightner, Jeff]

I don't know what you mean by that. Apex of what exactly - my zone file?

I can make a zone file that simply has a CNAME in it with no SOA, serial number etc...?

As noted I do not own the target zone so I can't update any records there.

Can you tell me exactly what the zone file should look like with the CNAME record at the "apex"?

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)

[Phil Mayers]

On 09/12/11 16:55, Lightner, Jeff wrote:
> I don't know what you mean by that. Apex of what exactly - my zone file?

The zone is a tree. The records at the apex of the zone are those with
the same name as the zone - normally the SOA, NS, MX, and other records.

Since all zones must have a SOA and NS at the apex, and CNAME is
incompatible with any other record at the same name (except RRSIG/NSEC),
you cannot have a CNAME at the apex.

>
> I can make a zone file that simply has a CNAME in it with no SOA, serial number etc...?

No. You can't. Such zone files are syntactically invalid, and will not
be loaded by bind. This is easy to try e.g.

test.zone. 300 SOA ns.test.zone. hostmaster.test.zone. 100 2700 1800
3600 3600
test.zone. 300 NS ns.test.zone.
test.zone. 300 CNAME www.other.zone.
ns.test.zone. 300 A 192.0.2.1


# named-checkzone test.zone $FILE
dns_master_load: z:3: test.zone: CNAME and other data
dns_master_load: z:3: test.zone: CNAME and other data
zone test.zone/IN: loading from master file z failed: CNAME and other data
zone test.zone/IN: not loaded due to errors.

>
> As noted I do not own the target zone so I can't update any records there.
>
> Can you tell me exactly what the zone file should look like with the CNAME record at the "apex"?

As noted above, such a zone is invalid.

You *can* do this:

test.zone. 300 SOA ns.test.zone. hostmaster.test.zone. 100 2700 1800
3600 3600
test.zone. 300 NS ns.test.zone.
test.zone. 300 A 192.0.2.2 ; the IP of www.other.zone
ns.test.zone. 300 A 192.0.2.1

i.e. put an "A" record at the zone apex, with the IP of the "other"
server. It does mean you need a script / process in place to update the
A record if the name

[Jan-Piet Mens]

> I don't know what you mean by that. Apex of what exactly - my zone

> file? Can you tell me exactly what the zone file should look like

> with the CNAME record at the "apex"?

Determine the address(es) for the target domain name
shop4water.hostedbywebtstore.com (I'm using 127.0.0.1 as an example),
and add each to an A record in the zone, which should look a bit like
this:

$TTL 3600
@ IN SOA shop4water.com. root.shop4water.com. (
1 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1H ) ; negTTL
IN NS ns7.worldnic.com.
IN NS ns8.worldnic.com.
IN A 127.0.0.1 ; replace w/ IP of target

As Phill said, a CNAME instead of the A record is illegal at the apex
(i.e. the top) of the zone; CNAME must not exist with other data e.g. NS
or SOA records, which are mandatory for a zone.

Hope that helps.

-JP

[Phil Mayers]

On 09/12/11 17:08, Phil Mayers wrote:

> i.e. put an "A" record at the zone apex, with the IP of the "other"
> server. It does mean you need a script / process in place to update the
> A record if the name

...blast.

"if the IP of the other server changes"

[/dev/rob0]

On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
> Is it possible to create a zone file that only contains a CNAME?

As already answered, no.

> The request I got is to create a CNAME to point shop4water.com to
> shop4water.hostedbywebtstore.com.

You can ask your registrar if they can/will do this in the parent
"com." zone. I have seen ugliness of this type from either Network
Solutions or register.com before, not sure which.

> We own shop4water.com – hostedbywebstore.com is something external
> that we don’t own.

Do note that hostedbywebtstore is not the same as hostedbywebstore;
we're sticklers for precise spelling.

Also note that other workarounds will solve the same problem in a
better way.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

[Lightner, Jeff]

"Also note that other workarounds will solve the same problem in a better way."

Care to enlighten me as to what those workarounds would be?

Also - why is it a registrar can do a CNAME only but we mere mortals can't? In fact documentation from Amazon (it is apparently their web store I've since learned) suggests doing it at registrar so I'll probably go that route but I'm wondering why it should work there but not on one of my delegated name servers.

-----Original Message-----
From: bind-users-bounces+jlightner=wate...@lists.isc.org [mailto:bind-users-bounces+jlightner=wate...@lists.isc.org] On Behalf Of /dev/rob0
Sent: Friday, December 09, 2011 12:41 PM
To: bind-...@lists.isc.org
Subject: Re: CNAME only zone?

On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
> Is it possible to create a zone file that only contains a CNAME?

As already answered, no.

> The request I got is to create a CNAME to point shop4water.com to
> shop4water.hostedbywebtstore.com.

You can ask your registrar if they can/will do this in the parent
"com." zone. I have seen ugliness of this type from either Network
Solutions or register.com before, not sure which.

> We own shop4water.com - hostedbywebstore.com is something external

> that we don't own.

Do note that hostedbywebtstore is not the same as hostedbywebstore;
we're sticklers for precise spelling.

Also note that other workarounds will solve the same problem in a
better way.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

[/dev/rob0]

Please do not top-post. Thank you.

On Friday 09 December 2011 11:52:58 Lightner, Jeff wrote:
> "Also note that other workarounds will solve the same problem
> in a better way."
>
> Care to enlighten me as to what those workarounds would be?

Not knowing the exact situation puts me at a distinct handicap in
trying to do so, but I can suggest some possibilities beyond what was
suggested by Jan-Piet and Phil.

- A cron job to look up the desired name and nsupdate(8) the A
record for shop4water.com. when that address changes
- HTTP redirects, or just a redirect for shop4water.com to point to
your desired CNAME target; www.shop4water.com *can* be a CNAME.
- Find different hosting.

> Also - why is it a registrar can do a CNAME only but we mere
> mortals can't?

Only approved registrars are allowed to update records in official
top-level domains. You can make as many CNAME records as you like,
playing by the rule that a CNAME cannot coexist with a record of the
same name and any other RRtype.

Registrars are also bound by the reality of DNS. If you want a CNAME,
they do not delegate the zone to you. They remove any NS records which
had been in place for your zone, and your nameservers are no longer in
use for that name. In fact by not being delegated, it ceases to be a
"zone."

> In fact documentation from Amazon (it is
> apparently their web store I've since learned) suggests doing it
> at registrar so I'll probably go that route but I'm wondering why
> it should work there but not on one of my delegated name servers.

Phil answered this, but to restate/repeat, a delegated zone *must*
have SOA and NS records at the zone apex. Meaning: if shop4water.com
is delegated, the parent com zone at a a minimum has NS records for
shop4water.com, and your zone *must* contain SOA and NS records for
shop4water.com.

Those SOA and NS violate the rule that a CNAME cannot coexist with a
record of the same name and any other RRtype.

[Dixon, Justin]

> "Also note that other workarounds will solve the same problem in a
better
> way."
>
> Care to enlighten me as to what those workarounds would be?

If all the use cases for the CNAME are for http traffic, just configure
an http server/load balancer/etc. under your control to return a 302 or
301 redirect back to the client browser and you maintain control if
needs change in the future.

1. Point DNS A record for shop4water.com to an IP of a webserver under
your control...
2. Use <insert your favorite webserver here> (using URL Rewrite rules,
perl, etc.) to send a redirect back to the browser to direct them to the
shop4water.hostedbywebstore.com URL.

Depending on whether you want to preserve the URL or not can vary the
type of redirects that you will be configuring but that is fairly simple
to setup on a variety of well known http servers.

>
> Also - why is it a registrar can do a CNAME only but we mere mortals

> can't? In fact documentation from Amazon (it is apparently their web

> store I've since learned) suggests doing it at registrar so I'll
probably
> go that route but I'm wondering why it should work there but not on
one of
> my delegated name servers.
>
>
>
>
>

> -----Original Message-----
> From: bind-users-bounces+jlightner=wate...@lists.isc.org
[mailto:bind-
> users-bounces+jlightner=wate...@lists.isc.org] On Behalf Of
/dev/rob0
> Sent: Friday, December 09, 2011 12:41 PM
> To: bind-...@lists.isc.org
> Subject: Re: CNAME only zone?
>
> On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
> > Is it possible to create a zone file that only contains a CNAME?
>
> As already answered, no.
>
> > The request I got is to create a CNAME to point shop4water.com to
> > shop4water.hostedbywebtstore.com.
>
> You can ask your registrar if they can/will do this in the parent
> "com." zone. I have seen ugliness of this type from either Network
> Solutions or register.com before, not sure which.
>
> > We own shop4water.com - hostedbywebstore.com is something external
> > that we don't own.
>
> Do note that hostedbywebtstore is not the same as hostedbywebstore;
> we're sticklers for precise spelling.
>

> Also note that other workarounds will solve the same problem in a
> better way.

> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header

[Matus UHLAR - fantomas]

>On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
>> The request I got is to create a CNAME to point shop4water.com to
>> shop4water.hostedbywebtstore.com.

On 09.12.11 11:41, /dev/rob0 wrote:
>You can ask your registrar if they can/will do this in the parent
>"com." zone. I have seen ugliness of this type from either Network
>Solutions or register.com before, not sure which.

Note that there still may be servers that have configured .com as
delegation-only and thus it won't work there.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

[Matus UHLAR - fantomas]

On 09.12.11 17:52, Lightner, Jeff wrote:
> Also - why is it a registrar can do a CNAME only but we mere mortals
> can't?

Because if you want CNAME, you must put it directly to he .com zone
what mere mortals just can not.
And I wonder if any registrar allows that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.

Enter any 12-digit prime number to continue.

[风河]

2011/12/10 Lightner, Jeff <JLig...@water.com>:

> Is it possible to create a zone file that only contains a CNAME?
>

Some nameservers can setup that, though it's breaking the RFC.

quote:
Never one to let a RFC stand in the way of a solution to a real
problem, we're happy to announce that CloudFlare allows you to set
your zone apex to a CNAME. This allows CloudFlare users to host on
EC2, Rackspace's Cloud, Google App Engine, or other cloud hosts and
use their naked domain (e.g., yourdomain.com) without forcing a hack
solution to a subdomain (e.g., www.yourdomain.com).

http://blog.cloudflare.com/zone-apex-naked-domain-root-domain-cname-supp


--
My Blog: http://nsbeta.info/

[Mark Andrews]

In message <CAA3U4eO=EbKB2ECSS4F1=fF22rpK2XcbP7q...@mail.gmail.com>

While you can change what a authoritative server allows the real
problem is what recursive servers do when they have a CNAME record
in the cache you you actually want resolvers to see the other records
that live beside the CNAME.

RFC 1034:
"The domain system provides such a feature using the canonical name
(CNAME) RR. A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR. If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different. This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types."

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[Barry Margolin]

In article <mailman.507.1323556...@lists.isc.org>,

Mark Andrews <ma...@isc.org> wrote:

> In message
> <CAA3U4eO=EbKB2ECSS4F1=fF22rpK2XcbP7q...@mail.gmail.com>
> , =?UTF-8?B?6aOO5rKz?= writes:
> > 2011/12/10 Lightner, Jeff <JLig...@water.com>:
> > > Is it possible to create a zone file that only contains a CNAME?
> > >
> >
> > Some nameservers can setup that, though it's breaking the RFC.
> >
> > quote:
> > Never one to let a RFC stand in the way of a solution to a real
> > problem, we're happy to announce that CloudFlare allows you to set
> > your zone apex to a CNAME. This allows CloudFlare users to host on
> > EC2, Rackspace's Cloud, Google App Engine, or other cloud hosts and
> > use their naked domain (e.g., yourdomain.com) without forcing a hack
> > solution to a subdomain (e.g., www.yourdomain.com).
> >
> > http://blog.cloudflare.com/zone-apex-naked-domain-root-domain-cname-supp
>
> While you can change what a authoritative server allows the real
> problem is what recursive servers do when they have a CNAME record
> in the cache you you actually want resolvers to see the other records
> that live beside the CNAME.

If CloudFlare is similar to Akamai's solution, recursive servers never
see the CNAME record. Instead, when the auth server receives the query
for the A record of the apex, it performs its own query for the CNAME,
and returns the result of this.

--
Barry Margolin
Arlington, MA

[Ken Peng]

2011/12/11 Barry Margolin <bar...@alum.mit.edu>:

>
> If CloudFlare is similar to Akamai's solution, recursive servers never
> see the CNAME record.  Instead, when the auth server receives the query
> for the A record of the apex, it performs its own query for the CNAME,
> and returns the result of this.
>

That hears interesting.
But if the remote auth server for the CNAME has multi-views, and
return different IPs based on the different clients, then this
solution maybe not work as expected.

Regards.

[Mark Andrews]

In message <barmar-072F49....@news.eternal-september.org>, Barry Mar

golin writes:
> In article <mailman.507.1323556...@lists.isc.org>,
> Mark Andrews <ma...@isc.org> wrote:
>

> > In message
> > <CAA3U4eO=EbKB2ECSS4F1=fF22rpK2XcbP7q...@mail.gmail.com>
> > , =?UTF-8?B?6aOO5rKz?= writes:
> > > 2011/12/10 Lightner, Jeff <JLig...@water.com>:
> > > > Is it possible to create a zone file that only contains a CNAME?
> > > >
> > >
> > > Some nameservers can setup that, though it's breaking the RFC.
> > >
> > > quote:
> > > Never one to let a RFC stand in the way of a solution to a real
> > > problem, we're happy to announce that CloudFlare allows you to set
> > > your zone apex to a CNAME. This allows CloudFlare users to host on
> > > EC2, Rackspace's Cloud, Google App Engine, or other cloud hosts and
> > > use their naked domain (e.g., yourdomain.com) without forcing a hack
> > > solution to a subdomain (e.g., www.yourdomain.com).
> > >
> > > http://blog.cloudflare.com/zone-apex-naked-domain-root-domain-cname-supp
> >
> > While you can change what a authoritative server allows the real
> > problem is what recursive servers do when they have a CNAME record
> > in the cache you you actually want resolvers to see the other records
> > that live beside the CNAME.
>

> If CloudFlare is similar to Akamai's solution, recursive servers never
> see the CNAME record. Instead, when the auth server receives the query
> for the A record of the apex, it performs its own query for the CNAME,
> and returns the result of this.

The service provider could just push out signed address records
changes using UPDATE which would work with all vendors. It's not
like they don't know the addresses or which sites are being serviced.

The real problem is that WC3 hasn't taken up SRV records or asked
for something more specific. CNAME was *never* the right solution
for this.

[Barry Margolin]

In article <mailman.510.1323563...@lists.isc.org>,

True. Akamai generally only uses it for domains that point to their
hosting/caching infrastructure. The apex points to a server that sends
an HTTP redirect to the www hostname, which is a real CNAME to Akamai's
domain, so then their GLSB logic is invoked.

[John Wobus]

> If CloudFlare is similar to Akamai's solution, recursive servers never
> see the CNAME record. Instead, when the auth server receives the
> query
> for the A record of the apex, it performs its own query for the CNAME,
> and returns the result of this.

In other words, if your theory is correct, this "CNAME"
is window dressing for the customer ("yes, they gave me a
CNAME, I'm happy!") while actually they serve A records
that they've specified to give the same answer as "whatever
address the A record of such-and-such name has". What they
present in their customer interface or store in their
zone-file-equivalent is arbitrary.

Makes DNSSEC interesting.

It's always helpful to be able to tell your customer "yes, we gave
you a CNAME, just like you asked for. We do it even if our competitors
say no!"

John Wobus

P.S. Hm, I wonder if a TLD will give me a three part CNAME:
if they've given me "example.com. CNAME foo", will they also give
me "www.example.com. CNAME foo"?