[BALUG-Talk] DNS ... CNAME records ... to CNAMES? How long a chain? Loops? ...

Rick Moen rick@linuxmafia.com
Thu Oct 13 07:48:11 UTC 2022


Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> DNS ... CNAME records ... to CNAMES?  How long a chain?  Loops? ...

Or:  Just don't.

Over a very large number of years of doing authoritive DNS, including
for some large Internet concerns, I eventually came up with a guideline:
Use a CNAME _only_ when an A (and/or AAAA) record cannot do the job --
and that basically means a cross-domain name reference.  

All other uses of CNAME create risk of errors, one or more of:

1.  CNAME breaks because you renamed the thing it used to point to, 
    but forgot to update the CNAME record.  (In fairness, this 
    is also a risk with cross-domain name references, but nothing
    fixes that.)  This error mode is analogous to the "dangling symlink"
    problem that teaches all sysadmins "don't use a symlink unless 
    a hard link cannot do the job".

2.  You absent-mindedly pointed one of the record types at the CNAME
    for which that reference is invalid (MX, NS), and had puzzling
    problems until you figured that out.

Both of these failure-modes go away automatically if you use, instead, A
or AAAA records pointing directly to the IP in question.

There is a standard objection one hears _every_ time this is discussed,
so I'll quote it and point out why it is dumb.  "But, if I do that, 
then any time I re-IP the underlying host, I'll need to change all 
the A or AAAA records to match, whereas if n-1 of the records are
symlinks, I need update only _one_ record."

That is true, but dumb -- because a single sed statement can change
n lines citing an IP exactly as easily as it can one.

And, believe me, you really need to learn to use scripted editing
to do DNS maintenance, anyway.  It not only prevents most errors, 
but makes any you commit much easier to find.  Also, it makes rollback
trivial and fast, no matter how many lines are affected.

Version B of the dumb objection is:  "But, because the zone is built out
of multiple include files, I'd need to make any IP change in a bunch of
separate files, whereas if n-1 of the records are symlinks, I need
update only _one_ record."

That is true, but dumb -- because a single one-liner with find, exec, and
sed can change n lines citing an IP across a group of include files 
exactly as easily as it can one.

Let's see, do I follow my own rule?

:r! grep CNAME /etc/bind/linuxmafia.com.zone
[censored]  	IN	CNAME	gv-[censored].dv.googlehosted.com.

Yep.  That's the a record you can voluntarily add to your domain
if you want to use some of Google's services and let Google 
verify that the domain is yours, like Google's webmaster tools.
https://webmasters.stackexchange.com/questions/54527/why-is-googlehosted-com-in-the-dns-records-for-our-website-after-signing-up-fo
(now called Google Search Console,
https://search.google.com/search-console/about )

Everything else in linuxmafia.com that _most_ people would use CNAMEs
for, I use A records -- because that works and makes the possibility of
whole classes of problem go away.




More information about the BALUG-Talk mailing list